Firewall Rule vs. Email Policy

Question

Hello Folks, 
 i'm a bit confused about the whole mail scanning configuration. If you create a new SMTP policy under Email -> Policies & Exeptions you can set Malware Protection settings like Scan Engines and antivirus action. If you create a firewall rule, you can set email content scanning for e. g. SMTP. Do i have to set both? I thought that the MTA will scan based on the policy i mentioned first. When do i havew to set the scanning via firewall rule? 
 Thanks in advance!

LuCar Toni · Accepted Answer

V17.5 or V18? 
 
 Actually you do not need the MTA Scanning Rule for MTA Mode. 
 The MTA Mode will be configured via "Email" in XG. 
 To allow traffic talking to the email Module, you only need "Device access --> SMTP". That will activate the SMTP MTA Mode in XG and Clients / Server are able to talk to XGs MTA Mode by talking to the Interface of XG (WAN or LAN). 
 The MTA Scanning rule will simply activate a transparent MTA Proxy and allow Scanning all SMTP Traffic Through XG. But Likely this is not needed in most setups as they only use MTA (Server to Server). Transparent Proxy is likely only used between Client and Server (For example POP3 and IMAP). 
 
 The only use case of the MTA firewall rule in V17.5 is to setup the outbound IP for MASQ. You have multiple IPs on WAN and want to send mails from IP2. That is the only usecase i can describe. This will be not the case anymore in V18.

LuCar Toni · Answer

https://community.sophos.com/products/xg-firewall/f/recommended-reads/122602/how-to-setup-mta-mode-when-you-have-multiple-wan-ports-or-alias-ip-addresses