FW rules are setup to allow port 25 from both LAN and WAN.
The FW is designed to redirect a LAN request to a FQDN directly to DMZ *without* going to WAN first. Even if I use the internet IP number the FW will 'know the way' (Reaching POP3 from LAN, while WAN access is forbidden, proves it)
I tried (from LAN) to 'telnet mail.domain.com 25', 'telnet mail 25': both invain.
At least, seemed to be invain....
I must have been too impatient. Because I wanted to know the real return value of the smtp session, I decided to 'sit it out' and wait for the proces to time-out (it took over 3 minutes!). It then neatly prompted with 220 ... ESMPT !
It looks I have some kind of DNS error instead (or something else with smtpfront-qmail), and *not* a FW issue.
If I cannot figure it out, I'll be back

(you're welcome ofcourse if this is a piece-of-cake for you)
Thanks for directing me to do more testing.