Configuring mail settings : Configuring proxies (transparent mode only) : About the transparent mode proxies : When FortiMail uses the proxies instead of the built-in MTA
When FortiMail uses the proxies instead of the built-in MTA
When operating in transparent mode, a FortiMail unit has two ways of handling an SMTP connection: to proxy, or to relay. A FortiMail unit will proxy a connection only if you have enabled the proxy option applicable to the connection’s directionality, either:
“Use client-specified SMTP server to send email” (for outgoing connections), or
“Use this domain’s SMTP server to deliver the mail” (for incoming connections containing outgoing email messages)
This option is ignored for email that matches an antispam or content action profile where you have enabled Deliver to alternate host.
Otherwise, it will use its built-in MTA instead.
Unlike in gateway mode, in transparent mode, the built-in MTA is used implicitly. SMTP clients do not explicitly connect to it, but unless proxied, all connections traveling through the FortiMail unit are implicitly handled by the built-in MTA. In this sense, while in transparent mode, the built-in MTA may initially seem to be similar to the proxies, which are also used implicitly, and not specifically requested by the SMTP client. However, the proxies or the built-in MTA may reroute connections to different destination IP addresses, and thereby may affect mail routing.
Because the outgoing proxy does not queue undeliverable email, while the built-in MTA and incoming proxy do, whether a proxy or the built-in MTA handles a connection may also affect the FortiMail unit’s mail queues.
 
Table 36: Mail routing in transparent mode
Destination IP of connection
RCPT TO:
Configuration
Result
SMTP server (incoming connection)
A protected domain (incoming email)
N/A
Built-in MTA establishes session with SMTP server
Not a protected domain (outgoing email)
Use this domain’s SMTP server to deliver the mail is enabled
Incoming queueing proxy establishes session with SMTP server
Use this domain’s SMTP server to deliver the mail is disabled
Relay Server section is configured
Built-in MTA establishes session with Relay Server section
Relay Server section is not configured
Built-in MTA performs MX lookup of the domain in RCPT TO: and establishes session with the resulting MTA
Not SMTP server (outgoing connection)
N/A
Use client-specified SMTP server to send email is enabled
Outgoing non-queueing proxy establishes session with the unprotected MTA
Use client-specified SMTP server to send email is disabled
Relay Server section is configured
Built-in MTA establishes session with Relay Server section
Relay Server section is not configured
Built-in MTA performs MX lookup of the domain in RCPT TO: and establishes session with the resulting MTA
You can determine whether a connection was handled using the built-in MTA or one of the proxies by viewing the Mailer column of the history log messages.
mta: The connection was handled by the built-in MTA.
proxy: The connection was handled by either the incoming proxy or the outgoing proxy.
For information on viewing the history log, see “Viewing log messages”.