Here's another way of doing this:
1. Create an MX and A record for your unix box
2a. Create _only_ an MX record for your internal box.
2b. Create a second MX record pointing to your unix box
3. On your unix box put the internal box IP address in /etc/hosts or in an internal DNS setup (same unix box if using split DNS).
4. Put "internal.box.name" in /etc/mail/relay-domains
What happens is this:
1. A (say) AOL user attempts to send mail to
USER@BOX.DOMAIN.
2. AOL's DNS servers look up the MX record and finds that INTERNAL.BOX.DOMAIN is the first MX record. But there is no "A" record for INTERNAL.DOMAIN.BOX.
3. AOL's mail program then goes to the second MX record for "BOX.DOMAIN" - this is unix.box.domain which does have an A record.
4. Mail hits unix.box.domain. Since INTERNAL.box.domain is in /etc/mail/relay-domains sendmail knows to relay it to that box. Sendmail then uses either /etc/hosts or an internal DNS record to get the RFC1918 IP address.
5. Mail goes from unix box to INTERNAL.BOX.DOMAIN.
The good part - no muss, no fuss with /etc/mail/relay, access, alias or virtusertables. You can also use various DNSBLs to filter out spam, use SpamAssassian to tag spam, etc. Your internal box is also protected from various port scanners, spammers, etc.
Bad part - you generate slightly more dns traffic by having to look up two MX records. Some windows-based MTAs are too stupid to know how to look up more than one MX record. But in doing this for 22 sites (a school system) for 5 years I've only found one mail package which could not handle this setup.