What is the "Auto added firewall policy for MTA"?

Shuze,

the rule is created automatically once you enable the MTA mode on Email Protection. Firewall rule is needed otherwise traffic is dropped. Try to disable the rule and see that traffic will be dropped.

I do not why the KB says that. Maybe they consider the fact that the rule is automatically created by the XG.

Let us know.

Regards,

Dear Luk,

After switch to MTA mode, the auto created rule has no any traffic through it.

But the MTA mode works well, mail can send and receive through XG relay.

That's what I don't understand about the auto rule...

Shunze

Hi Shunze, 

I have not come across any MTA configuration yet, so I think I need to check with other teams about this. If the rule has no real meaning, I think that should be fixed in v16.5.

Do you see that rule in v16.5?

Thanks

I didn't try V16.5 yet,
so I can't answer you about this.

It still creates the auto rule in 16.5.  

I just tested and turned off this rule, but email still comes in just fine.

I'm curious like everyone else what this really does or what its for?  Seems like rather than create a rule, it should check the box for SMTP on WAN interface for you under Device Access.  I was about to create a new post until I found this one.  My rule also said 0kb in and out, but everything was working fine.

Thanks

Thank DMR188 for testing!

I have raised the question internally. Let's see what information do I receive to share.

Finger's crossed.

Hi DM,

Is your Email client explicitly connecting to the MTA? Auto rule is for transparently intercepting the Email traffic when Email-Clients are not defined to connect the IP address of MTA.

When the Email-Clients are connecting to the MTA IP address explicitly, then you just need to enable MTA for respective zones in the Device Access settings.

Thanks

Hi DM,

Is your Email client explicitly connecting to the MTA? Auto rule is for transparently intercepting the Email traffic when Email-Clients are not defined to connect the IP address of MTA.

When the Email-Clients are connecting to the MTA IP address explicitly, then you just need to enable MTA for respective zones in the Device Access settings.

Thanks