The answer to that question is perhaps a little less simple than it appears. My answer would be both yes and no. Let me explain.
When a message comes into the MEG cluster, the traffic comes to the VIP which is serviced by whatever appliance is in charge of the cluster at the moment. If the Master is up, the master will service the vip. If the master is dead, the failover has control and would service the VIP. The device in charge checks the scanners in the cluster and picks one to which to hand off the connection. That device now handles the rest of the conversation directly, after a fashion. When it decides to send the message onwards, it opens the connection to the onward server and delivers the message. That said, it's a bit more complicated than that.
When digging through packet captures, it can be seen that, when sending mail to an external device, the scanner device creates a TCP/IP packet with the remote server's destination IP and port and its own IP and port as the source. A moment later, the master sends the exact same packet with its IP and port as the source IP. Digging down to the physical level, however, this becomes a bit clearer. When the scanner sends the message, it sends the packets with a destination MAC address of the Master MEG appliance, not the default gateway. For all intents and purposes, the cluster scanners treat the master as their default gateway. The master then adjusts the source IP so that the traffic comes back to itself and then sends it on its way.
The reason I say that both yes and no are valid answers is because sometimes, firewalls/routers don't pay attention to the fact that the destination MAC isn't itself. Rather they work their way in to the IP layer and see the destination IP and go ahead and try to deliver it onward. They shouldn't, but that doesn't always stop them.
Thank you eplossl
Its more cleear now
So in your two server cluster scenario, how did you end up setting the NAT on the Firewall? When we look at our outbound test messages, they are coming from the actual IP of the primary, not the VIP. Our primary is .100, failvover is .101 and VIP is .102 all on the same subnet.
The master's IP will need a NAT, as will the Failover's. The traffic will go out from the real IP of the master and the failover, whereas the VIP takes all inbound traffic. As long as the master is up and running the traffic should all go out from the master's IP, but if it dies for some reason the traffic will all come out from the failover's real IP.