Many FortiMail features such as proxies and policies act upon the directionality of an SMTP connection or email message. Rather than being based upon origin, incoming or outgoing directionality is determined by whether the destination is a protected domain.

Incoming connections consist of those destined for the SMTP servers that are protected domains of the FortiMail unit. For example, if the FortiMail unit is configured to protect the SMTP server whose IP address is 192.168.0.1, the FortiMail unit treats all SMTP connections destined for 192.168.0.1 as incoming.

Outgoing connections consist of those destined for SMTP servers that the FortiMail unit has not been configured to protect. For example, if the FortiMail unit is not configured to protect the SMTP server whose IP address is 10.0.0.1, all SMTP connections destined for 10.0.0.1 will be treated as outgoing, regardless of their origin.

Directionality at the connection level may be different than directionality at the level of email messages contained by the connection. It is possible that an incoming connection could contain an outgoing email message, and vice versa.

For example, in the above figure, connections from the internal mail relays to the internal mail servers are outgoing connections, but they contain incoming email messages. Conversely, connections from remote MUAs to the internal mail relays are incoming connections, but may contain outgoing email messages if the recipients’ email addresses (RCPT TO:) are external.

Similarly to when determining the directionality of an SMTP connection, when determining the directionality of an email message, FortiMail units examine the domain to which the recipient belongs: if the domain to which the recipient email address belongs is a protected domain, the email message is considered to be incoming; if the domain to which the recipient email address belongs is not a protected domain, the email message is considered to be outgoing.