Exchange allows anonymous internal relay by default, is that best practice?

exchange

Yes, we need to enable "Anonymous Users" on receive connector so that we can accept message from Internet.

To prevent anonymous relay from internal, we can remove ms-exch-smtp-accept-authoritative-domain-sender permission for Anonymous Users, for example:

Get-ReceiveConnector "Default Frontend <Server>" | Get-ADPermission -user "NT AUTHORITY\Anonymous Logon" | where {$_.ExtendedRights -like "ms-exch-smtp-accept-authoritative-domain-sender"} | Remove-ADPermission

However, it does not effect on external spoofed message. To prevent it, we need deploy anti-spam firewall.

Related

Origin of the saying 'all wet'
What are the antonyms of well and swell? [closed]
"So to speak" vs "As it were" [closed]
Is tl;dr used very much outside of the computer programming community?
Is "put in place" a correct English expression?
What's this usage of comma, separating of a list of independent clauses?
What's the difference between fight and battle when they are used as a verb?
Any antonyms of be? [closed]
Is "Kain, that doesn't stop you always." grammatically correct?
Generalized Terms for Categorizing an Occupation Label
What are "the dear years" in Redgauntlet?
What is the transparent part of an envelope called?