Unable to block IP address.

Question

Sophos SG210 Hardware 
 Sophos XG 17.5 GA Firmware 
 
 ----- 
 This is both an Email Protection / Firewall Rule issue. 
 
 I am using my XG for email filtering inbound and outbound. -- Email protection in MTA mode. (SMTP Relay enabled on WAN zone -- Port 25 is NOT in a DNAT.) 
 Exchange server uses XG as smart host. XG proxies all SMTP to and from Exchange. 
 XG ONLY allows relaying from EXCHANGE via internal IP.. Everything else attempting relay is blocked. 
 
 I have country blocking rules and IP blocking rules setup. 
 Very often, an attempt to relay mail off my exchange server is dropped. 
 
 I've blocked the source IP but that still does not seem to have stopped the attacker from trying to relay. 
 
 I am very very familiar with XG and UTM (Certified Architect in both) so I am pretty confident that I have set this up correctly, but I am starting to have my doubts now. 
 Looking for any kind of help / Ideas. 
 
 Thanks!

rfcat_vk · Answer

Isn't having the MTA advertised on the WAN port an open invitation for the internet to use it? 
 MTA should be between the internal exchange server and the internet. 
 Ian

LuCar Toni · Answer

This is "normal". 
 Can you post your General Settings? Do you have all advanced SMTP Settings features enabled? 
 But to be honest, XG only logs them because the SMTP Transmission is open for everybody. 
 https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol#SMTP_transport_example 
 XG drops them after "RCPT TO".

Jaesii · Answer

Just wanted to post an update as I believed I fixed this issue. 
 
 I found and followed this guide https://community.sophos.com/kb/en-us/123663 Which uses the Email Scanning Business application template rule. 
 
 I set the rule up like this, and kept SMTP relay enabled on WAN zone. As well as keeping original LAN SMTP scanning rule.

Now the only thing appearing in my mail logs is the actual email to and from my exchange server. 
 
 Thanks for all of the help everyone!