Hi everyone,
customer switched over to XG in MTA mode for their email protection. They want to have their public IP for outgoing mails masqueraded with the an alias on their WAN interface. In v17, there was a "automatic" rule that was created in MTA mode. It is actually still created in v18, but it is a relic from v17 for MASQing traffic, since the v17 did not have a separated NAT table, correct? I now that you actually can delete this rule, as SMTP traffic to the firewall is allowed in the device access matrix and whitelisting the host-based/auth. relays.
So we created a SNAT rule, which did not work, counter remained on 0. I assume because the outgoing mail traffic is system generated and therefore not passing through the forwarding firewall. Mails got MASQed by the WAN link balancing, which did not go well with some receiving mail hosts. Ok, so I took a look at SD-WAN policy routes to lock SMTP traffic to a gateway and quickly found out the system generated traffic cannot be routed by PBRs unless enabled via CLI (see docs). As this was a migrated firewall from v17 with a ton of policy routes, I did not want to mess with that at that point. In the end, I enable the option "Route inbound mail through gateway" in general settings, which used the oldschool automatic rule and its linked NAT rule. That worked fine. Still, there has to be an easier way? Could someboy outline the easiest way to MASQ outgoing SMTP traffic with a specific IP for v18?
Regards, JW
This thread was automatically locked due to age.