I currently have a 2010 environment and I am migrating to 2013.  I have two servers built and began to try to setup authenticated relay and I got nowhere and really really confused.  I would think this would be a really simple implementation but apparently not :(  Long story short, I just want to get back to the default settings for the receive connectors on a dual role clean Exchange install.  

Are the below settings correct for the default install of Exchange?  Is anonymous included in the default frontend connectors?  If so, can someone please explain this to me?  

The reason I ask is that I would expect that when i telnet to the mail server on 25 and try to send an email, that I should not be able to do so.  But then I think about it and think that external senders would be unauthenticated and now i've confused myself. 

In that telnet session if i try to send an email to an external domain name it says unable to relay.  If i send to an accepted domain it works.  But isnt that a security risk to allow any device on the inside to send unauthenticated to an employee?

I really appreciate any clarification you can add.  

Here is my output for Get-ReceiveConnector | fl Name,AuthMechanism,RemoteIPRanges,TransportRole,permissiongroups,MaxMessageSize

This is the default settings.

Even though AnonymousUsers is listed there. You can not send through it. Front end receive connector is just a proxy to the back end receive connector which does not allow AnonymousUsers.

Name             : Default *****
AuthMechanism    : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer
RemoteIPRanges   : {::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, 0.0.0.0-255.255.255.255}
TransportRole    : HubTransport
PermissionGroups : ExchangeUsers, ExchangeServers, ExchangeLegacyServers
MaxMessageSize   : 35 MB (36,700,160 bytes)

Name             : Client Proxy *****
AuthMechanism    : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer
RemoteIPRanges   : {::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, 0.0.0.0-255.255.255.255}
TransportRole    : HubTransport
PermissionGroups : ExchangeUsers, ExchangeServers
MaxMessageSize   : 35 MB (36,700,160 bytes)

Name             : Default Frontend *****
AuthMechanism    : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer
RemoteIPRanges   : {::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, 0.0.0.0-255.255.255.255}
TransportRole    : FrontendTransport
PermissionGroups : AnonymousUsers, ExchangeServers, ExchangeLegacyServers
MaxMessageSize   : 36 MB (37,748,736 bytes)

Name             : Outbound Proxy Frontend *****
AuthMechanism    : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer
RemoteIPRanges   : {::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, 0.0.0.0-255.255.255.255}
TransportRole    : FrontendTransport
PermissionGroups : AnonymousUsers, ExchangeServers
MaxMessageSize   : 36 MB (37,748,736 bytes)

Name             : Client Frontend *****
AuthMechanism    : Tls, Integrated, BasicAuth, BasicAuthRequireTLS
RemoteIPRanges   : {::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, 0.0.0.0-255.255.255.255}
TransportRole    : FrontendTransport
PermissionGroups : ExchangeUsers
MaxMessageSize   : 35 MB (36,700,160 bytes)

Thanks for the reply.  I  am confused about the part where you stated that it is just a proxy to the backend which does not allow anonymous.  

So i have the receive connectors as seen above and we agree that it is the default configuration.  If i telnet to my mail server from a computer on my network on port 25 I am able to send an email to myself spoofing a gmail account.  

telnet mailserver 25
ehlo
mail from: test@gmail.com
rcpt to: myemailaddress

At this point it will queue the message for delivery.  Is this not a security risk to allow any device on the inside to send emails to internal users as a spoofed address?  

Is this something that I should be addressing?  The only thing i can think of now that I have taken a step back is to create another receive connector with the same settings as the default frontend but uncheck anonymous and a scope of my internal LAN.  This would make connections from the inside reaching this server use this new connection which would block anonymous SMTP requests on port 25.  

Am i crazy for thinking this or am I correct / best security practices?

Check the message tracking log and search the RECEIVE event. The ConnectorId field tells you which back end receive connector accepted it. Then take a closer look at that back end connector.

Check the message tracking log and search the RECEIVE event. The ConnectorId field tells you which back end receive connector accepted it. Then take a closer look at that back end connector.

does yours do the same thing where you can sent to your inter