Regarding firewall > nat forwarding settings ..
In general>src.port field there is "25,80,443,587" and in action>dst.port field there is "25-587"
Be careful. There are 3 distinct port settings: src-port , dst-port and to-ports ... src-port check the port used by client. Usually that's some random high port and not really useful for usual NAT rules. dst-port is the port that client tries to connect, in most usual scenarios that's port that client sees as service port on router's WAN address. And then to-ports sets the port number which is used by service inside the DMZ/LAN.
Example: if one wants to establish port forwarding for https (TCP port 443), but to obfuscate things one uses TCP port 13443 on the WAN side while https server on the DMZ host actually uses standard port. We don't care which local port is used by client's browser. So the NAT rule would look like this
/ip firewall nat
add action=dst-nat dst-port=13443 to-ports=443 protocol=tcp dst-address=<WAN IP address> to-address=<DMZ host IP address>
If you don't obfuscate port numbers (e.g. you only want to do address translation), then you don't have to use to-ports at all. And if you want to forward a few ports to same DMZ host, you can use something you already hinted at:
add action=dst-nat dst-port=25,80,443,587 protocol=tcp dst-address=<WAN IP address> to-address=<DMZ host IP address>
Another thing to be careful about: do use as many filtering attributes as possible to make the NAT rule as specific as possible. If there wasn't the "dst-address=" part, this rule would grab any packet passing router and was targeting the enumerated ports. Those connections from LAN users directed at internet hosts as well ...