...what you see with nmap from the inside looking at, is different than from the outside looking at. I'll bet mysql requires authorized access, hence 'filtered'.
Port 25 is OK listening on the internal nic and serving only to internal hosts. Use netstat -ln to see what's listening and where:
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN <=sendmail listening to all
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN <=only on the loopback
tcp 0 0 192.168.1.1:25 0.0.0.0:* LISTEN <=bound to address
Webmin is capable of SSL and I personally encourage it's use. A properly configured firewall will remove much worry about it running. And as always, a really good root password is suggested.
If in doubt get an external audit like what you'll find at GRC