Apple iDevices with Private Relay, Mail and Split DNS

I have split DNS for a mail server (different IP inside the network from outside, and the external IP is NOT the external IP of the firewall).

When using Apple’s Private Relay, the Apple devices ignore the local DNS server they get from DHCP in Mail and Safari and use the external IP instead.

I found that I can use a DNS profile (“mobileconfig”) to set the DNS server, but I already have a profile and it appears that only one profile can be used at any time (the “Auto” setting seems to not work as I would have expected).

  • Is there a way to set “internal” IP/name and “external” IP/name for SMTP/IMAP servers, like it’s possible for Exchange?

  • Is there a way to create a DNS profile that has more complex rules (rather than “use this DNS server if condition(s)” use something that has an alternate server, i.e. “use this DNS server if condition(s), ELSE that DNS server”)?

  • I have considered a pinhole rule at the firewall that redirects traffic from the combination of external IP:ports to the internal IP. But I have the feeling I might invite trouble with that, since I still need to talk to the external server.

  • I cannot use IPv6 (that might work due to infinite supply of addresses where I could associate a separate address for every port I’m interested in redirecting) but the ISP doesn’t support it. The ISP obviously hasn’t heard that it’s the year of IPv6.

I really don’t know how to solve this properly. I would like to get rid of the split DNS but I’m not sure how I could achieve the goal of using an internal server IP instead of the external IP.

Any comments or other ideas anyone?

Update: I am trying to get a second public IPv4 for the external server.