2 Postfix servers (DMZ + LAN)

[Augusto Casagrande]

Hi
My idea is to put 2 MTA's servers, one in the DMZ and the other in the LAN.
The goal is to get security in the LAN , and only expouse one server
to the internet. Also, i want to "decompress" the traffic , between
the LAN and internet.
So far , i' ve managed to send email from @myfomail.com to
@mydomain.com , and from untrusted (internet) networks to
@mydomain.com. But i cannot send from @mydomain.com to untrusted
(internet) networks ( ie : @yahoo.com, @gmail.com).

My DMZ Postfix postconf -d:

alias_maps = hash:/etc/aliases
biff = no
canonical_maps = hash:/etc/postfix/canonical
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
debug_peer_level = 2
defer_transports =
disable_dns_lookups = no
disable_mime_output_conversion = no
html_directory = /usr/share/doc/packages/postfix/html
inet_interfaces = 172.20.22.12, 26.80.xxx.xxx, localhost
inet_protocols = all
mail_owner = postfix
mail_spool_directory = /var/mail
mailbox_command =
mailbox_size_limit = 0
mailbox_transport =
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
masquerade_classes = envelope_sender, header_sender, header_recipient
masquerade_domains = $mydomain
masquerade_exceptions = root
message_size_limit = 10240000
mydestination = $myhostname, localhost.$mydomain $mydomain
mydomain = mydomain.com
myhostname = cluster2.mydomain.com
mynetworks = 172.20.22.14
mynetworks_style = subnet
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/packages/postfix/README_FILES
relay_domains = correo.mydomain.com
relayhost =
relocated_maps = hash:/etc/postfix/relocated
sample_directory = /usr/share/doc/packages/postfix/samples
sender_canonical_maps = hash:/etc/postfix/sender_canonical
sendmail_path = /usr/sbin/sendmail
setgid_group = maildrop
smtp_sasl_auth_enable = no
smtp_use_tls = no
smtpd_client_restrictions =
smtpd_helo_required = no
smtpd_helo_restrictions =
smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination
smtpd_sasl_auth_enable = no
smtpd_sender_restrictions = hash:/etc/postfix/access
smtpd_use_tls = no
strict_8bitmime = no
strict_rfc821_envelopes = no
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_domains = hash:/etc/postfix/virtual
virtual_alias_maps = hash:/etc/postfix/virtual

And the LAN Postfix postconf -d :

alias_maps = hash:/etc/aliases
biff = no
broken_sasl_auth_clients = yes
canonical_maps = hash:/etc/postfix/canonical
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
debug_peer_level = 2
defer_transports =
disable_dns_lookups = no
disable_mime_output_conversion = no
header_checks = regexp:/etc/postfix/header_checks
html_directory = /usr/share/doc/packages/postfix/html
inet_interfaces = 172.20.22.14, localhost
inet_protocols = all
mail_owner = postfix
mail_spool_directory = /var/mail
mailbox_command =
mailbox_size_limit = 102400000
mailbox_transport =
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
masquerade_classes = envelope_sender, header_sender, header_recipient
masquerade_domains =
masquerade_exceptions = root
message_size_limit = 10240000
mydestination = $myhostname, localhost.$mydomain $mydomain, correo.mydomain.com
mydomain = mydomain.com
myhostname = cluster1.mydomain.com
mynetworks = 172.16.40.0/24, 127.0.0.0/8, 172.20.0.0/16
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/packages/postfix/README_FILES
relayhost =
relocated_maps = hash:/etc/postfix/relocated
sample_directory = /usr/share/doc/packages/postfix/samples
sender_canonical_maps = hash:/etc/postfix/sender_canonical
sendmail_path = /usr/sbin/sendmail
setgid_group = maildrop
smtp_tls_note_starttls_offer = yes
smtpd_banner =
smtpd_client_restrictions = permit_sasl_authenticated
smtpd_helo_required = no
smtpd_helo_restrictions =
smtpd_recipient_restrictions =
permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = hash:/etc/postfix/access
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
strict_8bitmime = no
strict_rfc821_envelopes = no
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_domains = hash:/etc/postfix/virtual
virtual_alias_maps = hash:/etc/postfix/virtual

My DNS server direct-zone file :

$ORIGIN .
$TTL 86400      ; 1 day
mydomain.com          IN SOA  cluster1.mydomain.com. root.mydomain.com. (
                                2009077609 ; serial
                                60         ; refresh (1 minute)
                                60         ; retry (1 minute)
                                3600       ; expire (1 hour)
                                86400      ; minimum (1 day)
                                )
                        NS      cluster1.mydomain.com.
                        NS      cluster3.mydomain.com.
                        A       172.20.22.14
                        MX      5 cluster2.mydomain.com.
$ORIGIN mydomain.com.
cluster1                A       172.20.22.14
cluster2                A       172.20.22.12
cluster3                A       172.20.22.13
correo                  A       172.20.22.14

I'm new at Postfix, and my english is not so good, but any help will
be appreciated.
Thank you very much!

Augusto