Destination side of connection sees firewall IP instead of NAT IP

Looks like everything is OK.

Never.

Yours, VB.

comp.dcom.sys.cisco would be a better place for Cisco-specific messages.

The destination would see the firewalls' IP instead of the mail server's IP if the NAT (network address translation) for outgoing SMTP connections is not configured to use the mail server's IP.

For example, the Cisco PIX equivilent of this situation would be:

static (inside,outside) tcp SERVERPUBLICIP smtp SERVERPRIVATEIP smtp netmask

255.255.255.255 nat (inside) 1 0.0.0.0 0.0.0.0 global (outside) 1 interface

In this configuration, the static translation between SERVERPUBLICIP and SERVERPRIVATEIP would only apply when a TCP packet arrived at the outside interface addressed to SERVERPUBLICIP tcp 25, or when a TCP packet arrives at the inside interface with its source address being SERVERPRIVATEIP and the source port tcp 25. Outgoing smtp requests, however, would have some random high-numbered port as the source port, and so would not match the static rule, and so would get translated under the nat/global rule that says to use the firewall's outside IP address ("interface") as the source IP address for the packet.

In the PIX example above, the PIX mechanism to indicate that all outgoing connections from SERVERPRIVATEIP should use SERVERPUBLICIP as the source, would be

static (inside,outside) SERVERPUBLICIP SERVERPRIVATEIP netmask 255.255.255.255

notice the lack of port or protocol specification.

The Cisco 1841 has similar concepts, but with a noticably different syntax. I can't quote the rule syntaxes at the moment for the way that IOS does it (which has varied). Look for "ip nat" statements that either name an access list or else have an access list in-line; you will likely find one that applies to incoming smtp connections but which does not apply to outgoing smtp connections.