In the case of the OP, I would urge him to evaluate if that network topology really makes sense. Does it make sense having two hosts with two different connections? In that case, does it make sense to run services like mail/web servers on these hosts? Shouldn't they be dedicated routers/firewalls instead? And do you really need to use port forwarding connections to a host that is already directly connected to the internet?
It doesn't necessarily make sense. This entire project doesn't make sense. The issue is that we are sending confidential patient records through a private network.
Instead of using something like PKI encryption (like I use at the police station where I also work), this business model decided that all mail should be sent out their private network. Then they can check if the receiver should be receiving email in the first place. They originally wanted to take control of my mail server, and I would pick mail up from them for all my users and I said no to that. We are retaining control of our network, and mail server and relaying all outbound mail out this new connection. Incoming mail will transfer as normal from all sources except from this private network which could have confidential patient records, and it needs to come in this new connection from an authenticated mail server to my box.
This project has been dragging out since 2007, and it's really getting on my nerves. They only want to deal with Exchange, and they have been sending instructions out for exchange, even though they know I am using Linux for my server.
I thought I was almost out of the woods until we started testing the port forwarding, and I've run into these hangups.
I think option 2 will work best for me. The box and connection on y.y.y.y is strictly for communicating with this other mail server I need to relay out, and receive only patient records mail from. If I rewrite the packets to appear to be from 10.10.10.4 I think this will work.
What would the best option for this be? I'm thinking I will have to stop using the gshield firewall that I used to use, and jsut write the rules manually in iptables because there will only be 1/2 a dozen or so and once they are wrote, they will be permament.
Thanks for the excellent replies.