After years with Checkpoint products I came to conclusion that if you don't have logical explanation why something doesn't work, it is most probably license issue.
My client stopped getting emails behind UTM-132 at some remote branch . Doing the basics - telnet to port 25 (Checkpoint answered as it should), Exchange answering on port 25 as well didn't come up with anything.
Then I looked at mail spool in the Checkpoint and voila, all the emails that didn't reach internal Exchange were stuck there for no obvious reason.
The reason became obvious when I looked at the SmartTracker and saw "AntiSpam service license expired" message . Only then did I recall that this UTM had once Total security license that included the Antispam , but had expired long ago. Why upon expiring license Checkpoint instead of passing mails without Antispam filtering decided to "hijack" the mails is left without answer.
Follow me on https://www.linkedin.com/in/yurislobodyanyuk/ not to miss what I publish on Linkedin, Github, blog, and more.