It’s sure been a while since I’ve worked on something like this but 10 years ago I was your man!
Anyway, from the top of my head you’d want HAProxy load balancing the usual ports to your CAS servers(Mostly just 443 these days), this is fairly standard so you will find plenty of info online.
For the Anti-spam/AV… I’d use one of the following:
https://www.mailscanner.info/ - Personal favorite, was certainly my number one choice years ago!
https://www.ijs.si/software/amavisd/ - Not used Amavisd-new but used Amavisd a very long time ago to great success
I’d suggest putting these in front of a port 25 HAProxy config to the HT servers, this way the mail cleaning setup gets the real source IP address so can use things like RBL’s or ACL’s to lock it down by source address.