what are you seeing that makes you think you are an open relay.

 From email posted to sbs2k Yahoo Group by Charles Anthe, Microsoft SBS
Program Manager on 2/5/04

"SBS 2003 is not an open relay by default, or after any run of CEICW. We
have done extensive security testing to verify that the default SMTP
relay settings are secure by default. The defaults after the run of
CEICW are to allow relay for:

External WAN IP
Localhost (127.0.0.1)
Internal LAN IP subnet
Any authenticated user
These defaults are different than Exchange 2003 Server defaults (which
allow no IPs, because Exchange does not have knowledge of the local
network in the same way SBS does, and so requires a higher level of
administration expertise, which is why you see dedicated Exchange admins
in large companies).

Localhost is added because otherwise sometimes items such as the
monitoring report and other server-originating mails do not send
correctly (the SMTP settings for healthmon default to “localhost”). The
external WAN IP is added in case the routing table routes other mails
from the server as coming “from” the WAN IP (not likely but we have seen
this behavior in testing from time to time when the priority of the
network cards get mixed up). Any authenticated user is to enable remote
users using POP3 or IMAP who need to send mail directly to the server,
and is perfectly secure as long as no one guesses one of your
username/password pairs (so stop using “password” J)

Can you remove item 1 and still have 100% functionality? Probably. We
added it because it did not increase the security risk of becoming a
spam relay and solved corner case problems with mail that we found in
testing.

Can you remove item 2 and still have 100% functionality? Doubtful. We
found that removing this often caused problems with e-mail alerts and
monitoring reports.

Can you remove item 3 and still have 100% functionality? Doubtful –
while in theory all of your users will authenticate from Outlook to the
server, I think you risk a lot of functional problems that you’ll end up
having to figure out.

Can you remove item 4 and still have 100% functionality? Sure – as long
as you don’t have remote users trying to send mail directly through SMTP
(such as POP3/IMAP users) and you leave item 3 in the list.

For this entire list, we performed extensive testing to make sure this
was the minimum set we can provide that ensures that all e-mail is sent
correctly that should be, while maintaining the integrity of the server.
These settings are not vulnerable to IP spoofing attempts, as far as we
can tell. If you find that your SBS server is being used as an open
relay, my first suspicion would be that someone has found a
username/password pair to authenticate to your server. In this case,
your first step would be to uncheck the “allow authenticated users”, but
you should also identify the user in question, because they also have
access to OWA, RWW, and VPN, all of which would allow them to send mail
and still be within the other SMTP relay restrictions."