We have 5 usable external static IP addresses leased by our ISP: .49 to .53, where

• .49 is assigned to the Juniper SSG20 firewall and NATed for 172.16.10.0/24
• .50 is assigned to a windows box for web server and domain controller
• .51 is assigned to another windows box with exchange server (domain: mycompany1.com) mx record is pointing to 20x.xx.xxx.51

Currently there is a policy set for all SMTP incoming traffic addressed to .51 forward to the NATed address of the exchange server box (private IP: 172.16.10.194).

We can send and receive emails for both internal and external, but the gmail is saying mails from mycomany1.com is not sent from the same IP as the mx lookup however is from 20x.xx.xxx.49:

    Received-SPF: neutral (google.com: 20x.xx.xxx.49 is neither permitted nor denied by
    best guess record for domain of [email protected]) client-ip=20x.xx.xxx.49;

    Authentication-Results: mx.google.com; spf=neutral (google.com: 20x.xx.xxx.49 is 
    neither permitted nor denied by best guess record for domain of    
    [email protected]) [email protected]

and the mx record in global dns space as well as in the domain controller .50 for mail.mycompany1.com is set to 20x.xx.xxx.51

My attempt to resolve the above issue is to

1. Update the mx record from 20x.xx.xxx.51 to 20x.xx.xxx.49
2. Create a new VIP for SMTP traffic addressed to 20x.xx.xxx.49 to forward to 172.16.10.194

After my changes incoming email stopped working, I believe it has something to do with the Juniper setting that SMTP addressed to .49 is not forwarded to 172.16.10.194

Also, I have been wondering is it mandatory to assign an external static IP address to the Juniper firewall?

Any helps appreciated.

TIA