DNAT Sinkhole / Blackhole doesn't work for SMTP Relay

I have a Sophos UTM with v9.712-13. I understand from Rule #2 in "rulz" that DNAT is evaluated before the firewall rules:

  1. the connection tracker (conntrack) first
  2. then Country Blocking
  3. then the 'ICMP' tab in 'Firewall': Traceroute and Ping are regulated on the 'ICMP' tab.  The "All" service only includes TCP and UDP - none of the other IP protocols are included.
  4. then Intrusion Prevention (see the images below to see that IPS actually can happen in several places but happens only once!)
  5. then DNATs*
  6. […]

I added a rule to NAT to sinkhole everything coming from anywhere to a host group with the external interfaces to an invalid host:

WAN interfaces contains the external addresses, no networks – I read elsewhere that it's not evaluated properly:

But I still get logs from SMTP like this:

exim-in[9161]: 2022-10-29 15:14:58 id="1003" severity="info" sys="SecureMail" sub="smtp" name="email rejected" srcip="REDACTED" from="" to="@" size="0" reason="host_blacklist" extra="REDACTED blacklisted"

Could it be that exim is exempt from DNAT here for any reason? I already toggled all NAT rules and the SMTP forwarder to no effect.