I'd like to be able to (a) block outbound port 25 traffic from any internal IP, except from the internal IP that our mail server (x.x.x.10) is connected to; and (b) allow all other outbound traffic (web browsing, DNS requests etc. etc.),

When setting up the rule, I enter the mail server IP address (x.x.x.10) and select the invert '!' option (i.e. don't apply the rule to this address, but apply it to every other address). The router then seems to not allow any port 25 traffic out at all. Should I be defining 'objects' instead and using those in the rules?

Use two rules to achieve this with the first rule being the allow rule for the mail server. Setup a rule lan to wan source ip is your mail server destination ip is your isp and port is obviously port 25 set this rule to pass immediately.

This rule by itself wont change anything but it excludes your mail server from the next rule which is a basic any source any destination port 25 and set to block immediately.

Any machine on your network other than your mail server trying to send mail on port 25 now wont be able to.