We are currently have a VIP rule setup to port forward smtp traffic to our internal mail server.  We only want to allow inbound SMTP traffic from our hosted mail provider.  I created an address group "hosted mail" that contains the IP ranges for our provider.  I then set that group as the Source (srcaddr) in our firewall policy.  My issue is that SMTP inbound traffic is not restricted to the IP ranges specified.  I'm able to confirm this by doing a (external) port scan on tcp/25 and I'm also able to use telnet (externally) to connect to my mail server using my public ip and send an email.  What am I missing here?

FortiGate # show firewall vip smtp_nat

config firewall vip edit "smtp_nat" set uuid a77d2a44-e355-51e6-1c0b-355d1cb54f71 set extip X.X.X.X set extintf "any" set portforward enable set mappedip "192.168.1.10" set extport 25 set mappedport 25 next end

FortiGate # show firewall policy | grep 'smtp' -f config firewall policy edit 47 set uuid ba8c4a02-e355-51e6-20c1-e65372aef5f8 set srcintf "wan1" set dstintf "internal1" set srcaddr "hosted mail" set dstaddr "smtp_nat" <--- set action accept set schedule "always" set service "SMTP" set utm-status enable set logtraffic all set comments "Allow SMTP from hosted provider" set av-profile "default" set ips-sensor "default" set profile-protocol-options "default" set ssl-ssh-profile "certificate-inspection" next end