Write a test (or scoreless '__') rule that examines the 'Received:' headers and looks for any IP address that -ISN'T- your internal subnet. (for example, call that rule __EXTERNAL_IP)
Looks good.
For portability, it would be good to recode it as a plugin that gets the real interface values for the machine. I'll have to investigate how hard that would be.
