Back to the single NATed network

webserver = "192.168.2.7"
webports = "{ http, https }"
emailserver = "192.168.2.5"
email = "{ smtp, pop3, imap, imap3, imaps, pop3s }"

rdr on $ext_if proto tcp from any to $ext_if port $webports -> $webserver
rdr on $ext_if proto tcp from any to $ext_if port $email -> $emailserver

pass in on $ext_if proto tcp from any to $webserver port $webports \
   flags S/SA synproxy state
pass in on $ext_if proto tcp from any to $emailserver port $email \
   flags S/SA synproxy state
pass out on $ext_if proto tcp from $emailserver to any port smtp \
   flags S/SA synproxy state

Works with or without a separate dmz, but -