|That's a pretty good drawing.|
You have a nice division of services across available servers. It's always a good idea, whenever feasible, to run different services in different servers so as to reduce load on any one particular server.
This is especially true for a DC. Since you're talking about a Windows based, Active Directory integrated domain, here's what I would recommend two DC's, with the second one configured to provide redundancy. That way should either one fail, the other one can take over without downing your entire domain.
I think you've overcomplicated your network design though. It should go from external into a firewall.
Internet >> Firewall
Behind the firewall would be your DMZ which would contain all your outward facing servers (http/ftp etc) and also your internal network.
so it would look something like:
Firewall >> DMZ
(the LAN connects directly to the Firewall)
Your LAN of course would contain your DC's, internal servers, clients and whatever else you would have in your network that you wouldn't want exposed to the outside world.
LAN >> switch(es) >> servers/clients/network printers etc
If you know your way around UNIX, you could build a firewall using OpenBSD and that could also be your ssh/sftp (I prefer sftp over plain old vanilla ftp any day, it's more secure). The same box could also handle routing.
With regard to what is allowed to connect to what (ie: The terminal server will only have access to the file server for storing data from external sources.) This is not controlled by physical connections, it's controlled by your use of groups, users and the ACL's on shares. This is true for both internal and external access.
The mail server will be very light in HDD space and archive mail on the file server after a while.
You might want to look at a SAN/NAS for this instead of just a server. Whatever you do use is going to need to be on a RAID with a lot of available space.
All the servers and users will have internet access except for the file server.
Since nobody is going to be logging onto the file server locally and using it as a workstation, this is a moot point right. You can avoid allowing it to have internet access by not configuring a gateway address when you do the static assignment of TCP/IP info, but, you will want to update the operating system from time to time so it will be likely that you will want it to have access to the internet. Just control who has physical access to the box and who's allowed to logon locally.