MTA mode and Autofirewall rule in v18

Since I am running v18 I thought I would ask this MTA/Email scanning question here as the documentation still seems to be catching up. 

I have been experimenting with using MTA mode by explicitly pointing any internal mail servers to it. Very much a traditional approach, and works well

However what I did pick up in my testing is when I enable MTA mode and the auto Firewall rule is created it has the SCAN SMTP and SMTPs boxes checked.  This has the effect that the XG firewall hijacks (transparently) any SMTP connection and then directly sends outbound (bypassing internal server).  Assume this is by design, but my preference is for all SMTP outbound traffic to go through an Internal SMTP server first (authenticated), then pass (relay) to the XG.  Which I then assume does any Malware and Spam scanning 

My understanding from reading through community and official docs is these check boxes are only used for transparent email scanning and not MTA mode.   Is this some sort of hybrid mode, or is it to ensure any connection that initiates on the mail ports (25) is captured by XG.  Obviously, this is not for authenticated users and it doesn’t transparently pass email to the internal SMTP server, it directly sends out. 

Are these check boxes necessary, is it for transparent proxy?  I just find the auto firewall rule weird and isn’t even required for MTA mode.  Unless I’m missing an obvious application or setup best practice.

This isn’t an issues, just that I found a lot of it non trivial and the documentation lacking detail.  My setup might be unique, but I suspect this hijacking on port 25 (by selecting the scan SMTP or SMTPS in firewall rule) will break and confuse I few network admins.