0.0.0.0 255.255.255.255 in connector and mx created.

The question is what you want to achive: -Is your ISP still involved in the mail routing? (Why is the ISP Involved? (Maybe antispam?)) - Do you expect the whole world to send mails directly to you without the ISP' s forward? I guess you modified your MX records to point to your 197. And you have no other MX in place. In that situation, you skip the ISP for that mail domain and you need to keep the connector to be open (0.0.0.0 255.255.255.255)

keep your inbound and outbound mailroute the same: Since you used a VIP with 197, MX, for inbound mails arriving to that IP. But your outbound mails might go through the default WAN IP (.196?) -> some recipients will not like that due antispam policies. I did not check your firewall policies, but you might need to add an IP Pool in the outbound SMTP Policy that Source NAT' s the traffic to 197.: Create an Firewall -> VIP -> IP Pool with only .197/32 Add that to the FW Policy the expection is when you use a SmartHost / SmartRelay on your Exchange. Do you forward your outbound mail to your ISP as well?

frankly, I' d keep it the way it works. Maybe Maik can give you more advice regarding Exchange. Remember that the RDP policy will not work (I know, you deleted it already); you have to specify 0:65535 as source ports in the custom service definition. Destination port 3389:3389 is fine. I wouldn' t recommend RDP across the internet - this is one big, big security hole. Set up a VPN instead. So maybe you leave it deleted anyway.

you' re welcome! FYI, what Mike wrote about the source IP being .196 is true normally but not in your case. IF (capital) the VIP is not using port forwarding, like in your case, THEN the Fortigate will translate your server' s source address to the VIP on outbound traffic. And this not only on traffic replies but also on originating outbound traffic. You can verify this by sending an email to yourself. The source mail server' s IP should be in the header.