Firewall blocking

Smtp ports (25) are subject of Email Protection Service, when "Transparent Mode" is enabled.
Skip those host or groups from "Transparent Mode", then those host will be handled by the firewall rule 

Hello oldeda,

Thank you for your answer.
Transparent mode is not enabled on the Advanced tab for Email Protection > SMTP.

Yes, the UTM 9 is relaying the mail to an Exchange server and the Exchange server is relaying outgoing mail to the UTM 9.

Ok

You have a DNAT rule.

You have "authenticated Users can relay" enabled

1) Is there any other user inside that send emails on port 25?

2) how outside user clients open their mailbox?

There is no DNAT rule (in SMTP config it's just relaying mail to the Exchange server).
"Authenticated users can relay" is enabled indeed.

1) Don't really know what you mean, only the Exchange server is relaying outgoing mail to the UTM
2) They open their mailbox via OWA or Exchange ActiveSync on mobile phones

Why is "Authenticated users can relay" Enabled?

Why is Transparent Mode is not enabled. Any firewall rule about port 25 can compromise your IP spam reputation if Transparent is not enabled

Because I'm using AD users to relay mail, also for any cloud apps I might be using in the future.
I could have choosen for Allowed Hosts/Network but in this case I have choosen for Allowed Users/Groups.

I don't really know why I should enable or disable Transparent Mode, it's still not really clear for me what it does and what the impact is for the current configuration.

I have to say I'm quite new to UTM so maybe that's the whole issue? :)

What company do you work for. [:D] 

How they let you: that users can send emails directly from UTM and not from Exchange Server??? 

I think that you configured that AD users can send email, any user is configured to do that. Then, what is the point?

The users are not sending directly to the UTM, Exchange is configured to relay mail to the UTM using a username/password.

I have done this config with future apps in mind which might relay mails to the UTM before sending them to the outside world :)
Like I said, I also could have chosen to add the Exchange server as a trusted host in the Relaying tab, but in this case I have chosen to let the Exchange server authenticate using username/password.

This is not for a company btw, UTM Home edition :)

Ok than you can do some test :)

1. Enable Transparent Mode.

2. Disable Authenticated Can Relay

3. Add Exchange Server to  Relaying 

4. Skip from Transparent those attackers

And that's it

Okay I have done step 1 - 3 but I don't know what you mean with:

4. Skip from Transparent those attackers

ADD Blocked Attackers you created for firewall rule 1, to  Skip Transparent Mode Hosts/Nets under Advanced tab of SMTP. 
Now Blocked Attackers  will be subject of Firewall or NAT rules. You may test delete the firewall rule as well, those hosts will not contact your SMTP anymore

ADD Blocked Attackers you created for firewall rule 1, to  Skip Transparent Mode Hosts/Nets under Advanced tab of SMTP. 
Now Blocked Attackers  will be subject of Firewall or NAT rules. You may test delete the firewall rule as well, those hosts will not contact your SMTP anymore

Thank you, I did that.

Seems that the drop is not really working though:

2018:04:25-15:29:21 mailserver exim-in[31820]: 2018-04-25 15:29:21 SMTP connection from (User) [181.214.206.44]:25680 closed by QUIT

While I added the subnet 181.214.206.0/24 to the Blocked Attackers group.

i just tested with an inside host of mine and it work like should be?. maybe configuring the attackers as host 

Could be, but I configured it like they explain in this post:

https://community.sophos.com/products/unified-threat-management/f/network-protection-firewall-nat-qos-ips/39279/blocking-specific-ip-addresses

"The simplest way to implement this, currently, is to create a Network Definition of Type Group (call it Blocked Attackers, etc.), and add the IPs you wish to block as individual host definitions to the group as needed.  Create a Packet Filter Rule, put it at position one, with the group you created (I'll call it Blocked Attackers in this example)... Blocked Attackers -> ANY (service) -> ANY set to Drop... optionally you can enable logging as well."