Inbound SMTP Routing


I have been trying to implement SMTP routing for inbound and outbound SMTP traffic over a GRE tunnel. I have another thread about this but I am having some trouble with the source of inbound SMTP traffic, becoming the destination? (screenshot below of packet capture).

( - Sender of incoming mail, - Local IP of the GRE tunnel)

I am not really sure why this is happening but I did notice when looking at the firewall log, that this traffic is using the default Firewall and NAT rule. I feel like this is NAT related, where the source IP is becoming the destination. Microsoft ended up blocking my IP address from sending mail to, but I have since managed to get this block removed.

To route outbound SMTP traffic to the GRE tunnel, I am using a SD-WAN route, which I have temporarily disabled so that my IP address does not get blocked again. I am not sure if this is what is causing the loop, it's highly likely that I have not configured this rule correctly (please see below screenshot).

The IP address set in the Source networks is the DMZ IP of the WAN port of the Sophos Firewall.

I know that I am probably sounding like a pain but I would greatly appreciate any advice that could be given on resolving this. Currently, I can only get outbound to work. Inbound is what I am having real trouble with. Inbound mail doesn't even reach the spool, there is no log entry of it ever getting that far. It seems to hit the firewall then be sent straight back to the sender.


Edited TAGs
[edited by: Erick Jan at 10:38 AM (GMT -8) on 29 Feb 2024]
  • Hi,

    I realise that I might be asking a really silly question but the lack of response to member's questions here really makes me uncomfortable with proceeding to move to Sophos Firewall. I think I might look at different firewalls to move from the Sophos UTM as the support on this forum is really slow to the verge of non-existent. It's disappointing that this forum has become so dry, I remember back when the Sophos UTM was the go-to firewall product from Sophos; the community forums were always active and was pretty easy to get a supportive response from somebody in the community. I guess things with Sophos have changed since then!


  • Actually, i am wondering, why you do GRE in the first place? 
    GRE is nearly non existing in all implementation i am seeing. 

    UTM did not support GRE - So why did you install a GRE now? 


  • Hi,

    I would rather not use a GRE tunnel but I don't know of any other method to resolve the problem that I have. Email services such as Gmail, require that the sender IP address can resolve to the DNS name of the MX record. The GRE tunnel is the only method that I can find to achieve this, as I can physically set the reverse DNS for the tunnel IP address. I am unable to do this with my WAN IP as this is not a leased line.

    On the UTM, I was running SMTP over the WAN connection as I had no other option, I just accepted that I couldn't do outbound SMTP but moving to Sophos Firewall and seeing that it was capable of GRE, I thought it would be good to implement it so that I could route inbound and outbound SMTP over GRE, so that I could actually have the ability to send mail rather than just receive.

    Annoyingly, I can send mail just fine now over the tunnel, I just can't receive. Every time incoming mail comes over the tunnel, the Sophos Firewall is just routing it back to the sender and I don't know why.

    This is an SMTP capture, incoming mail comes in via the tunnel then goes straight back to the sender: