This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
• In transparent mode the recipient domain address does not determine the direction
• At the network connectivity level the destination IP address determines whether a session is incoming or outgoing:» An SMTP session is considered incoming if the destination IP address matches
an SMTP server configured in the protected domain list» An SMTP session is considered outgoing if the destination IP address does not
match any SMTP server configured on the FortiMail unit
10
Transparency Settings
• By default, the transparent mode unit does not hide its presence in the mail flow
• The management IP address (if in bridge mode) or the interface IP address (if in route mode) will be used to establish a new session to the destination MTA
• To hide the transparent unit you can use one of the following options depending on the direction of the email: » Incoming emails: Enable the option “Hide the transparent box” (System > Domain)» Outgoing emails: Enable the option “Hide this box from the mail server” (Session
profile > Connection Settings)» In both cases, the TP unit will reuse the sender IP address to establish the new
• A transparent mode FortiMail unit can route a message to its destination by using its built in MTA or by proxying it
• When the built in MTA is used the following actions are taken: » The email is intercepted» DNS MX and A resolution are performed on the recipient domain» The email is delivered
12
Transparent Proxy
• If the transparent proxy is enabled, the FortiMail unit performs the following actions:» The email is intercepted» The email is simply forwarded to destination» No queuing of messages in case of delivery failure
• Transparent proxy can be enabled depending on the direction of the mail flow in the following ways: » Incoming: Select the option “Use this domain’s SMTP to deliver the email” (Mail
Settings > Domains)» Outgoing: Select the option “Use client specified SMTP server to send email”
Transparent unit (tp.smarthost.lab) configured to Pass Throughincoming and outgoing SMTP connections. The session from 10.0.1.100 to 10.0.3.100 is bridged.
MX record for external.lab: server.external.lab (10.0.2.100)
Domain smarthost.lab defined with IP 10.0.3.100The transparent mode unit intercepts the email and it triggers its internal MTA to route the email to destination.MX record for domain external.lab: server.external.lab(10.0.2.100)
The Gateway FortiMail unit receives the email.MX lookup is performed to route the email to destination.MX record for domain external.lab: server.external.lab (10.0.2.100)
Domain smarthost.lab defined with IP 10.0.3.100The transparent mode unit intercepts the email and it forwards it to 10.0.3.100 (as indicated in the protected domain section)A new session is initiated from the TP unit with source IP of 10.0.3.201 to 10.0.3.100
No protected domain configured on the Transparent FortiMail unit.All traffic is considered OUTGOING.Port1 configured to proxy outgoing SMTP connections.The Transparent mode unit intercepts the email and it triggers its internal MTA to route the email to destination.MX record for domain external.lab: server.external.lab (10.0.2.100)
The Gateway unit receives the email.MX lookup is performed to route the email to destination.MX record for domain external.lab: server.external.lab (10.0.2.100)No protected domain configured on the Transparent unit.
All traffic is considered outgoing.Port1 configured to proxy outgoing SMTP connections.The transparent mode unit intercepts the email and it forwards it to 10.0.3.100 (as indicated by the client).A new session is initiated from the TP unit with source IP of 10.0.3.201