When FortiMail uses the proxies instead of the built-in MTA
When operating in transparent mode, a FortiMail unit has two ways of handling an SMTP connection: to proxy, or to relay. A FortiMail unit will proxy a connection only if you have enabled the proxy option applicable to the connection’s directionality, either:
This option is ignored for email that matches an antispam or content action profile where you have enabled Deliver to alternate host.
Otherwise, it will use its built-in MTA instead.
Unlike in gateway mode, in transparent mode, the built-in MTA is used implicitly. SMTP clients do not explicitly connect to it, but unless proxied, all connections traveling through the FortiMail unit are implicitly handled by the built-in MTA. In this sense, while in transparent mode, the built-in MTA may initially seem to be similar to the proxies, which are also used implicitly, and not specifically requested by the SMTP client. However, the proxies or the built-in MTA may reroute connections to different destination IP addresses, and thereby may affect mail routing.
Because the outgoing proxy does not queue undeliverable email, while the built-in MTA and incoming proxy do, whether a proxy or the built-in MTA handles a connection may also affect the FortiMail unit’s mail queues.
Table 44: Mail routing in transparent mode
Destination IP of connection | RCPT TO: | Configuration | Result |
SMTP server (incoming connection) | A protected domain (incoming email) | N/A | Built-in MTA establishes session with SMTP server |
|
Not a protected domain (outgoing email) | | Incoming queueing proxy establishes session with SMTP server |
| Relay Server section is configured | Built-in MTA establishes session with Relay Server section |
Relay Server section is not configured | Built-in MTA performs MX lookup of the domain in RCPT TO: and establishes session with the resulting MTA |
Not SMTP server (outgoing connection) | N/A | | Outgoing non-queueing proxy establishes session with the unprotected MTA |
| Relay Server section is configured | Built-in MTA establishes session with Relay Server section |
Relay Server section is not configured | Built-in MTA performs MX lookup of the domain in RCPT TO: and establishes session with the resulting MTA |
You can determine whether a connection was handled using the built-in MTA or one of the proxies by viewing the Mailer column of the history log messages.
• mta: The connection was handled by the built-in MTA.
• proxy: The connection was handled by either the incoming proxy or the outgoing proxy.
For information on viewing the history log, see
“Viewing log messages”.