Support Center > Search Results > SecureKnowledge Details
Mail Transfer Agent (MTA) - FAQ Technical Level
Click Here to Show Entire FAQ
  • When to use MTA?
      • Scenario 1: Encrypted SMTP Traffic

        Some SMTP server, such as Microsoft Exchange Server, could enforce a connection from an SMTP client to be sent over TLS. The client could be another SMTP server or a mail client ? both are considered an SMTP client, when sending an SMTP message.

        Example of the SMTP negotiation over TLS:

        Server: 220 ESMTP SmtpService
        Client: HELO
        Server: 250 Hello
        Server: 250 STARTTLS
        Client: STARTTLS
        Server: 220
        Client & Server: <Start a TLS session>
        Client over TLS: EHLO
        Server over TLS: 250 Hello
        Client over TLS: MAIL FROM:<>
        Server over TLS: 250 Ok
        Client over TLS: RCPT TO:<>
        Server over TLS: 250 Ok

        When the connection is sent over TLS, it is encrypted and the Security Gateway cannot inspect the encrypted traffic, unless MTA is implemented.

        The Mail Transfer Agent feature enables the Security Gateway to intercept the encrypted connection between the SMTP client and the SMTP server and to inspect that connection.

    • Scenario 2: Timeout for SMTP Traffic inspected by Threat Emulation

      It is possible that during file emulation, the e-mail server cannot keep the connection open for the time that is necessary for full emulation.

      When this happens, there is a timeout for the e-mail. A Threat Emulation (available since R77) deployment with an MTA avoids this problem - the MTA completes and closes the connection with the source SMTP client and then sends the file for emulation. After the emulation is completed, the MTA sends the email to the mail server in the internal network.
  • How does MTA work?

    When an SMTP client is searching for the mail recipient's server address, the SMTP client is sending a DNS query for an MX (Mail eXchanger) record. The query is sent to a DNS server when trying to resolve the domain name that appears after the "@" sign in an email address (e.g., the in

    The MX record on DNS server contains the SMTP server address in a domain name format (e.g., The record should appear as follows: MX preference = 10, mail exchanger =

    When the Mail Transfer Agent (MTA) feature is enabled on Security Gateway, the MX record should be changed to the Security Gateway's External IP address. This way, when an SMTP message is sent, the MX query will be resolved to the Security Gateway's IP address, and the message will be received by the Security Gateway.

    When MTA is enabled, a Postfix service is enabled on the Security Gateway. The Postfix server on the Security Gateway enforces the TLS negotiation instead of the SMTP server and receives the message before the SMTP server. This allows the Security Gateway to inspect the message by the relevant Software Blades.

    After inspecting the message, the MTA either forwards the message to the next-hop SMTP server, drops the message if it is malicious, or extracts the malicious file - according to the Software Blades configuration.
  • How to configure MTA?

    For more details, refer to sk109699 - ATRG: Mail Transfer Agent (MTA).

    1. Configure on the DNS server an MX record that points to the Security Gateway's External IP Address.

    2. In SmartDashboard, open the Security Gateway / Cluster object.

    3. Enable either Threat Emulation blade (available since R77), or Anti-Spam & Email Security blade.

    4. Go to Mail Transfer Agent pane - check the box Enable as a Mail Transfer Agent (MTA).
    5. In the Mail Forwarding section, add one or more rules:

        1. Click on the relevant button on the toolbar

        2. Right-click in the Domain cell - select Edit...

        3. Enter the domain for the SMTP traffic for this rule.
          The default setting is to use the wildcard (*) to send all traffic, but it is recommended to add the managed domain name instead of keeping the default *, to prevent the spam traffic.

        4. Click OK.

        5. Click in the Next Hop cell - select the node object that is represents the mail server for this rule.

          Optional: Check the box
      Sign scanned emails
        - enter the message to add at the bottom of inspected e-mails.
    6. If the mail server uses TLS inspection, follow these steps to configure the MTA to support it:

      1. Refer to the SMTP/TLS section.

      2. In Step 1, click on Import certificate for SMTP/TLS link.
        1. The Import Outbound Certificate window opens.

        2. Click Browse - select the certificate file.

        3. Enter the Private Key password for the certificate.

        4. Click OK.
      3. In Step 2, check the box Enable SMTP/TLS.

      Optional: In the Advanced Settings section, click on Configure Settings...button - configure the MTA interface and e-mail settings.

    7. Click OK.

    8. Install the policy on Security Gateway / Cluster.
  • On which Software Blades should MTA be enabled?

    Mail Transfer Agent (MTA) is supported by the following blades:

    • Threat Emulation (available since R77)
    • Threat Extraction (available since R77.30)
    • Anti-Spam & E-mail Security
    • Anti-Virus (starting from R80.10)

    Note: Scanning e-mails passing through MTA is only supported by the blades listed above. There are 2 ways to scan SMTP traffic:

    • Streaming (through the FireWall kernel) - works for all blades
    • MTA (through user space and using postfix) - works for Threat Emulation, Threat Extraction, Anti-Spam & E-mail Security

    Note: Mail Transfer Agent (MTA) is not supported on Security Gateway in VSX mode R77 / R77.10 / R77.20 / R77.30.


Related documentation and solutions:

Give us Feedback
Please rate this document