Concepts And Flow

Client-server connections in SMTP

Client-server connections and connection directionality in SMTP differ from how you may be familiar with them in other protocols.

For example, in the SMTP protocol, an SMTP client connects to an SMTP server. This seems consistent with the traditional client-server model of communications. However, due to the notion of relay in SMTP, the SMTP client may be either:

  • an email application on a user’s personal computer
  • another SMTP server that acts as a delivery agent for the email user, relaying the email to its destination email server

The placement of clients and servers within your network topology may affect the operation mode you choose when installing a FortiMail unit. If your FortiMail unit will be operating in gateway mode or server mode, SMTP clients — including SMTP servers connecting as clients — must be configured to connect to the FortiMail unit.

Terms such as MTA and MUA describe server and client relationships specific to email protocols.

MTA

A Mail Transfer Agent (MTA) is an SMTP server that relays email messages to another SMTP server.

FortiMail units operating in gateway mode function as an MTA. FortiMail units operating in server mode function as an MTA and full (SMTP, IMAP, POP3, webmail) email server.

In order to deliver email, unless the email is incoming and the email server has no domain name and is accessed by IP address only, MTAs must query a DNS server for the MX record and the corresponding A record. For more information, see “The role of DNS in email delivery” on page 8.

MUA

A Mail User Agent (MUA), or email client, is software such as Microsoft Outlook that enables users to send and receive email.

FortiMail units support SMTP connections for sending of email by a MUA.

FortiMail units operating in server mode support POP3 and IMAP connections for retrieval of email by a MUA. For email users that prefer to use their web browsers to send and retrieve email instead of a traditional MUA, FortiMail units operating in server mode also provide FortiMail webmail.

Incoming versus outgoing directionality

Many FortiMail features such as proxies and policies act upon the directionality of an SMTP connection or email message. Rather than being based upon origin, incoming or outgoing directionality is determined by whether the destination is a protected domain.

Incoming connections consist of those destined for the SMTP servers that are protected domains of the FortiMail unit. For example, if the FortiMail unit is configured to protect the SMTP server whose IP address is 192.168.0.1, the FortiMail unit treats all SMTP connections destined for 192.168.0.1 as incoming.

Outgoing connections consist of those destined for SMTP servers that the FortiMail unit has not been configured to protect. For example, if the FortiMail unit is not configured to protect the SMTP server whose IP address is 10.0.0.1, all SMTP connections destined for 10.0.0.1 will be treated as outgoing, regardless of their origin.

Figure 1: Incoming versus outgoing SMTP connections

Directionality at the connection level may be different than directionality at the level of email messages contained by the connection. It is possible that an incoming connection could contain an outgoing email message, and vice versa.

For example, in the above figure, connections from the internal mail relays to the internal mail servers are outgoing connections, but they contain incoming email messages. Conversely, connections from remote MUAs to the internal mail relays are incoming connections, but may contain outgoing email messages if the recipients’ email addresses (RCPT TO:) are external.

Similarly to when determining the directionality of an SMTP connection, when determining the directionality of an email message, FortiMail units examine the domain to which the recipient belongs: if the domain to which the recipient email address belongs is a protected domain, the email message is considered to be incoming; if the domain to which the recipient email address belongs is not a protected domain, the email message is considered to be outgoing.

This entry was posted in Administration Guides, FortiMail and tagged , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.