you're trying to pass that *destination* address through the Fortigate unchanged
Not quite, I want there to be no source address translation at all, so that the source is the last public address before
hitting my SMTP server.
On the Palo Alto I have 'no source translation' configured in the NAT policy, so it's essentially transparent in terms of source, with postfix logs showing the source as being the FortiGate's gateway:
May 8 15:32:12 mid-smtp-01 postfix/smtpd: connect from unknown[192.168.0.1]
May 8 15:32:13 mid-smtp-01 postfix/smtpd: 26E7C60DD404: client=unknown[192.168.0.1]
I feel like if I can forward SMTP to port 25 on the PA on 192.168.0.254 without source translation, in the same way I'm doing from the PA to the SMTP server, it would achieve what I want. Policy route sounded like the way to go, but every combination I've tried doesn't work.
Feel like I'm doing something silly in the policy rule or completely misunderstanding how this would work.
If you look at your IPv4 policy page in Sequence mode, what's policy #0?
Not sure there's a sequence tab in v5.2.0, but I don't see a policy #0. I presume this is implicit deny? I have a standard deny any/any all/all rule at the bottom for logging purposes.