Calyptix Access Enforcer firewalls are great. I’m writing this post from behind our AE1000 right now. I’m a big fan of theirs and intend to deploy many more at our customer sites as we refresh their existing firewalls and servers. That said, there is a bit of an issue with the SMTP aliasing right now. If you are using a single IP, or have it behind another NAT device (normally a DSL or cable broadband endpoint) then you are okay. But if you have a block of IPs configured in the Calyptix be careful. If you have x.x.x.21 as the Calyptix WAN address and your SMTP server is at x.x.x.22 then your outbound mail is going to have reverse DNS issues because all mail passes through the Calyptix and reflects the Calyptix external IP, not the SMTP server’s public IP that you’ve mapped. It is a very simple fix to flip the external IP of the Calyptix over to the x.x.x.22 and you’ll already have the ports mapped properly (those don’t change) if you were doing mapping, at least that was the case with the one I took care of earlier today. Nothing else had to change on the LAN or any other settings on the Calyptix, at least for our situation. Calyptix recommends that partners check out https://partners.calyptix.com/node/131 for gotchas to watch out for when doing this too.
Calyptix is aware of the issue (they recommended the IP swap to us) and have a fix in the works that will erase the need for the steps above, but if you have recently deployed an AE with multiple IPs assigned to it and are running into hassles, check your mail headers and try the IP swap.