Email Open Relay
Within your relay settings you configure for what internal hosts your spam firewall will relay email for, to the outside world. Also you would configure for what domains you would accept email to, from the outside world. However leaving the relay open which is known as an open relay poses a major threat, in which anyone can use the open relay server to send email messages inbound or outbound using the resources of that server. A spammer would send large volumes of email messages through the server. This is because you have nothing specified in your relay settings, so your relay server would accept email from anyone to anyone. This is very dangerous and you would very quickly find your domains and IP addresses blacklisted.
To secure a proxy email server from being an open relay, you would typically specify your internal hosts that emails can be sent from to the outside world, which would usually be your firewall, exchange / domino server. If a connecting host not within this list attempts to send email to the outside world the email proxy server will reject the email message. You can specify this using an IP address or hostname. Also wildcards can be used if more than one host is required. You would also specify your domain and any other domains that email messages from the outside world are accepted for. An even more secure method would be to specify an LDAP server where your email proxy server would check to see if an address destined for a particular user does actually live within the LDAP server. If that user is not listed within the LDAP server, then the email message will be rejected. Using LDAP is much more secure, and is regarded as best practice.
The most common configuration for a spam firewall is to configure it with Microsoft Active Directory. You would configure the spam firewall, and point it to the folder where all your users and groups live within the active directory server. Now when an inbound email comes in, the spam firewall will check the recipient address to see whether it lives within Active Directory and if it does not the email will be dropped immediately. This is another method of connection control. Stopping emails at the connection layer is a good thing, as content control takes up much more memory and processing power when compared to the connection layer.