mx1001/mx2001 are currently serving both as inbound (for wikimedia.org etc. mail) and as an outbound smarthost (for both system emails, and "wiki" mail). These are fundamentally different needs and merging them into one role can be a little tricky and has resulted into bugs in the past such as DKIM signing of inbound emails, for instance.
Since these are VMs anyway, it should be relatively straightforward to split the two roles. Setting up mx1002/mx2002 with the same config as a first step should be easy, and then as a second step modifying the config to strip out redundant configuration statements in exim4 and puppet (e.g. running spamd in the outbound ones).
The logical split will be beneficial for Labs' email too (T174608) and both of these tasks can probably be addressed in one go (but in multiple steps, of course).