Firewall blocking

Smtp ports (25) are subject of Email Protection Service, when "Transparent Mode" is enabled.
Skip those host or groups from "Transparent Mode", then those host will be handled by the firewall rule 

Hello oldeda,

Thank you for your answer.
Transparent mode is not enabled on the Advanced tab for Email Protection > SMTP.

For what you use Email Protection i mean what is the configuration? 

Hello,

It is configured as incoming and outgoing SMTP server.

I mean you have email server behind

Yes, the UTM 9 is relaying the mail to an Exchange server and the Exchange server is relaying outgoing mail to the UTM 9.

Ok

You have a DNAT rule.

You have "authenticated Users can relay" enabled

1) Is there any other user inside that send emails on port 25?

2) how outside user clients open their mailbox?

There is no DNAT rule (in SMTP config it's just relaying mail to the Exchange server).
"Authenticated users can relay" is enabled indeed.

1) Don't really know what you mean, only the Exchange server is relaying outgoing mail to the UTM
2) They open their mailbox via OWA or Exchange ActiveSync on mobile phones

Why is "Authenticated users can relay" Enabled?

Why is Transparent Mode is not enabled. Any firewall rule about port 25 can compromise your IP spam reputation if Transparent is not enabled

Because I'm using AD users to relay mail, also for any cloud apps I might be using in the future.
I could have choosen for Allowed Hosts/Network but in this case I have choosen for Allowed Users/Groups.

I don't really know why I should enable or disable Transparent Mode, it's still not really clear for me what it does and what the impact is for the current configuration.

I have to say I'm quite new to UTM so maybe that's the whole issue? :)