Chances are you're running into the remote SMTP server attempting to
connect to your ident port (for no particularly good reason, but I
digress); you're blackholing the inbound SYNs, so the remote server
waits for the connection to time out before proceeding.

You can verify this with ipf logging (turn on ipmon, add "log" to the
"block" lines you suspect of firing, and watch syslogs).

if you change the "block in proto tcp" to a "block return-rst in proto
tcp", the SYN will get a RST in response which will let it go ahead
immediately.

					- Bill