I’d say ‘either forward or input’ - connection cannot pass through both forward and input %)
simply add a rule at the top of NAT, that will accept packets to the mailserver (action=accept). that will prevent other NAT rules from processing these packets
well, I’m not fully understand how p2p matcher in firewall works internally, so I simply describe one of the reasons why it’s better to use connection-marks
for example, you need to simply match all packets against address-list, containing thousands of addresses.
head-on solution: /ip firewall mangle add src-address-list=pamparam action=something (mark-packet, etc.)
but searching huge lists can be cpu-expensive, so we remember that we have connection tracking enabled 
and all packets are going through it =) one of conntrack functions is to preserve connection marks among packets, so we can simply lookup address-list for each new connection, then mark connection with needed mark - and use that mark to identify necessary packets, something like
/ip firewall mangle add connection-mark=pamparam in-interface-Local action=something passthrough=no
/ip firewall mangle add connection-state=new src-address-list=pamparam action=mark-connection new-connection-mark=pamparam
/ip firewall mangle add connection-mark=pamparam in-interface-Local action=something
and you don’t have overhead in address-list lookup for packets of established connections =)