Thank you very much for your reply.
I'm trying to control the inbound access coming in from the WAN or ISP if you want.
The other services which are allowed are HTTP, HTTPS, DNS, FTP, POP and IMAP in separate rules.
Furthermore I'm allowing RDP from two restricted zones which works perfect btw.
In the top of the list are the policies blocking either everything or SMTP (depending on what had happen) containing hundreds of IP s in their address groups. They are working perfectly. My consideration was to use a kind of an allow policy instead of denying hundreds addresses to make my live a little easier.
But it seems not to work when I'm using a group instead of single ranges or addresses.
The mentioned policy looks like this and is placed almost directly under the block all bad guys policy:
Source Interface/Zone wan1
Source Address SMTP Allowed List < containing the IP addresses or even countries
Destination Interface/Zone wan2(DMZ)
2xx.xxx.xxx.x1 < DMZ addresses
Service SMTP smtps SSL MAIL (995 993)
Please let me k now how I could support you finding a solution
Thank you very much
Ps, sorry for my bad English ;-@