==== Required information ====
- iRedMail version (check /etc/iredmail-release):
- Linux/BSD distribution name and version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Web server (Apache or Nginx):
- Manage mail accounts with iRedAdmin-Pro?
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
======== Required information ====
- iRedMail version (check /etc/iredmail-release): .096
- Linux/BSD distribution name and version: Ubuntu 16.04
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx):Apache
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

I have an iRedMail server external to my network, and all of my hosts are NAT'd behind a firewall.  All of the hosts inside the network can resolve the host name of the external mail server and use it for mail transactions. 
I think what is happening is I have multiple hosts connecting for inbound/outbound  emails and when the mail transactions overlap on postfix on the iRedmail server, (maybe too many hits per minute?)  which causes the email to be dropped and eventually fail2ban activates on the postifx jail for the public IP address for the network.  I see issues in the logs where there are complaints about  hoist names not resolving too.   

I have poked around the forum but I don't see anyone talking about this type of setup.
I assume everyone else doing this is doing a local DMZ and can allow the iRedMail access to the local DNS - in this case the iRedMail server is offsite and can't gain access to the local DNS.

Is the best option to run the mail server inside the network and allow SMTP traffic through the firewall, or run on a locla DMZ with access to the local DNS?