DNS Configuration for Exchange 2013

I have a stand alone server 2012 with AD, DHCP, DNS and Exchange on it and started getting DDoS attacks

I installed a firewall had to change the subnet of the server from 10.0.0.0/24 to 192.168.1.0/24 and after re-configuring the Servers IP, DHCP and DNS found that I had no incoming email. (invalid Security Certificate)

I found that mail  traffic was directed to the Router instead of Exchange and being rejected with the routers security certificate. I have since fiddled with the DNS so many times I don't know what is right and wrong

Anyone have any ideas where I have gone wrong  what is in the tables that shouldn't be there and what is missing.

email address is user.mail.domain.com

Geotrust SSL Security Certificate is mail.domain.com autodiscover.domain.com server01.domain.com

**Forward lookup for domain.com
Same as parent SOA [28]server01.domain.com, hostmaster.domain.com
Same as parent NS server01.domain.com
Same as parent NS ns1.domain.com
Same as parent NS ns2.domain.com
Same as parent MX [10]mail.domain.com
Same as parent MX [20]mail.domain.com
server01 MX [10]mail.domain.com
Same as parent HostA 192.168.1.10
Same as parent HostA 139.130.XXX.YYY
server01 HostA 192.168.1.10
mail HostA 192.168.1.10
mail HostA 139.130.XXX.YYY
localhost HostA 127.0.0.0


Properties SOA ns1.domain.com 139.130.XXX.YYY
ns2.domain.com 139.130.XXX.YYY
server01.domain.com 192.168.1.10

**Forward lookup for mail.domain.com
Same as parentSOA[1]server01.domain.com, hostmaster.domain.com
Same as parentNSserver01.domain.com
Same as parent HostA192.168.1.10
Same as parentHostA139.130.XXX.YYY

Properties of SOAserver01.domain.com192.168.1.10

**Reverse Lookup
1.168.192.in-addr.arpa
Same as parentSOA[1]server01.domain.com, hostmaster.domain.com
Same as parentNSserver01.domain.com
Same as parentNSns1.domain.com
192.168.1.10PTRdomain.com
192.168.1.10PTRmail.domain.com

OWA and Outlook 2013 work incoming and outgoing from within the subnet,  both internal emails and  external emails

But users off site can't log in to outlook 2013 and get blocked with OWA  by invalid security certificate.

**Testconnectivity.microsoft.com results

autodiscover failed

resolved host domain.com successful with both correct IP addresses returned

Port 443 open

SSL Certificate incorrect it is the routers Certificate  not the Geotrust certificate.

**This is the real issue, and I can't figure out why 

Thanks Alan