Hi Ivana,
You can define SMTP authentication on your existing Public listener (on port 25). Just edit the Default Policy Parameters of your Mail Flow Policies and enable it there. I would recommend to also configure TLS as preferred, and check the box "require TLS to offer authentication" (or something like that :)), since basic SMTP authentication is plain text.
Also, unless you have a valid reason, you may consider consolidating your setup to a single listener for both Incoming and Outgoing mail. The two-listener setup is typical for long-running ESA deployments (i.e. that's how we did it in the past :)), but for a while now we can use the same listener for both directions.
If you want to be fully RFC compliant, run a separate listener *only* for authenticated connections - have a simple HAT, accept all connections, but *require* TLS and authentication on it, and run it on port 587.
Hope that helps!