I guess I dont understand what you are saying. If your SP is hosting your SMTP, your inside hosts hand off the mail to that host (which in turn should be the same as your MX record.) When that server tries to send the mail to the correct address, IDENT should be allowed to that server to be sure the other mailservers can verify identity. If you host your own SMTP server behind your firewall, the MX record should point at the static translation setup in the PIX. Now simply open an additional conduit for IDENT and mail should work fine.