This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNAT Sinkhole / Blackhole doesn't work for SMTP Relay

I have a Sophos UTM with v9.712-13. I understand from Rule #2 in "rulz" that DNAT is evaluated before the firewall rules:

  1. the connection tracker (conntrack) first
  2. then Country Blocking
  3. then the 'ICMP' tab in 'Firewall': Traceroute and Ping are regulated on the 'ICMP' tab.  The "All" service only includes TCP and UDP - none of the other IP protocols are included.
  4. then Intrusion Prevention (see the images below to see that IPS actually can happen in several places but happens only once!)
  5. then DNATs*
  6. […]

I added a rule to NAT to sinkhole everything coming from anywhere to a host group with the external interfaces to an invalid host:

WAN interfaces contains the external addresses, no networks – I read elsewhere that it's not evaluated properly:

But I still get logs from SMTP like this:

exim-in[9161]: 2022-10-29 15:14:58 id="1003" severity="info" sys="SecureMail" sub="smtp" name="email rejected" srcip="REDACTED" from="" to="@" size="0" reason="host_blacklist" extra="REDACTED blacklisted"

Could it be that exim is exempt from DNAT here for any reason? I already toggled all NAT rules and the SMTP forwarder to no effect.

This thread was automatically locked due to age.
  • Hallo Luca and welcome to the UTM Community!

    Do you see anything relevant in the Firewall log?

    Cheers - Bob

    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA