You can get spamassassin and Clam AV in deb packages from Debian. Optional within spamassassin are DNSBLs, URIBLs, Razor2 servers, and DCC. So you want the Debian box to have an MX preference of 10, and you want to use the Exchange server as a backup MX with a preference of 20. You can set up Postfix as a relay, but it isn't a good idea to have an Exchange box talking SMTP directly with Internet clients, unless it is Exchange 2010 and you have a separate server with the "Edge Role" up front and relaying inward to the real Exchange server that's on your domain (however, I think that costs you an extra Exchange server license). So why not set up an additional Linux box at your primary site, similarly configured as the one at your colo site, and have it protect Exchange?
Here is a link to an article on setting up the config files in /etc/postfix and making Postfix a mail gateway that relays to your Exchange.