You need to use 'by DNS MX record' as mentioned. Then ASL needs to know where to send the mail. Assuming that your two mail servers are behind ASL then ASL needs to query an internal DNS server so it gets the internal IPs. Otherwise it knows what the outside knows which is the ASL and you get a loop.
This 'dummy internal domain' DNS also solves other problems when your web servers and such are inside and internal users otherwise try to go to the outside ASL IP and you make all kinds of NAT rules to fix. Internal DNS fixes those problems including email.
If this is the case then setup an internal DNS with a copy of the domain but will return the internal IPs when queried. Set ASL's DNS proxy to forward to this DNS server. The internal DNS server should in turn forward to a server that can resolve everything else on the outside.
This sounds doable. Is this a theory or is it a configuration that you have implemented.
I'm a bit unclear about your last sentence in terms of packet forwarding. That is if I have setup an internal DNS server and ASL would query internal first, then that would mean I have to have another means of reaching the Internet without going through ASL. Otherwise it would go into a loop. Hence, your suggestion of having the internal server forwarding to another server that can resolve for outbound packets. That is how I interpret your suggestions. If I understood you correctly, then I don't have the resources to implement that now but it's really something to think about.
Not exactly. Routing doesn't change. You only have to implement an internal DNS server (the linux box is perfect for this). On that server you set-up your domain and it is just like the DNS the outside users see except any hostnames that are actually inside will resolve the inside iPs for your inside users. ASL also points to this server so your MX (and as many MX records as you want) will work as expected.
I mention packet forwarding because many people set-up complicated rules to handle the problem with DNS where internal users get the IPs of their own servers as the outside sees them. Meaning they try to hit the external interface of ASL when the servers are actually inside from their point of view.
Not theory, in practice for many years. You have a DNS somewhere that the world sees and another that the internal users (and ASL) sees. And you get the benefit of DNS caching.
Sorry if it isn't clear, it is late and my brain hurts.....
I appreciate very much for your taking the time to explain this a little more.
It makes a lot of sense to me now. I need to make some changes to my zone files and do some testing. I hope to gain as much experience in implementing this so that one day, I may also speak by experience.
