Exchange allows anonymous internal relay by default, is that best practice?
Yes, we need to enable "Anonymous Users" on receive connector so that we can accept message from Internet.
To prevent anonymous relay from internal, we can remove ms-exch-smtp-accept-authoritative-domain-sender permission for Anonymous Users, for example:
Get-ReceiveConnector "Default Frontend <Server>" | Get-ADPermission -user "NT AUTHORITY\Anonymous Logon" | where {$_.ExtendedRights -like "ms-exch-smtp-accept-authoritative-domain-sender"} | Remove-ADPermission
However, it does not effect on external spoofed message. To prevent it, we need deploy anti-spam firewall.