I have a 3-legged router/firewall setup with a DMZ subnet, a private subnet, and the WAN. On the private subnet, I have two file servers, a DNS/DHCP/Print server, and a DC. In the DMZ, I have a web server and a DNS server. I do not allow any traffic from the DMZ to the internal network and only allow DNS and HTTP traffic form the internet to the DMZ. What is the most secure way to add an email server and VPN server into the network. I don't want to allow any traffic directly form the internet to the internal network and I don't want to allow any traffic from the DMZ to the internal network. How do most corporate environments with a focus on security have this setup?

Thanks