Today, I'll be touching on our Anti-Relay settings and the configuration of the same. As a general rule, the configuration of the Anti-Relay settings should be fairly straightforward. That said, there is power available in the anti-relay settings which most users never tap. In addition to covering the basic configuration, I'll also address the less common configuration settings available here as well.
In the anti-relay configuration, there are three classifications which can be given to a domain/IP/hostname. They can be classified as a Local Domain, a Permitted Domain, or a Denied domain. There is a hierarchy here, so I'll work from the bottom to the top.
The first option in our hierarchy is the Local Domain. The Local Domain setting identifies a domain name for which the appliance will accept incoming mail and the host IPs/names from which we will accept mail for delivery to any domain. By default, when setting up Anti-Relay, admins will enter the domain name for which the appliance should accept email as a Local Domain. This indicates to the appliance that it should accept mail for this domain. For customers with the appliance acting as an outbound mail filter, the admin should also specify the internal mail server IPs (or hostnames, but this is not recommended) for their environment. Note that if there is not at least one Local Domain specified in the appliance, it will act as an open relay for mail. Thus admins should ensure that at least one domain or hostname/IP is identified as a Local Domain, as long as the appliance is in Explicit Proxy mode. If the appliance is a Transparent Bridge or Router, the appliance can check these things, but this checking is usually handled by the mail server behind the appliance.
Next up the hierarchy is the Denied Domain. A denied domain is almost always a domain name, although it can also be an IP address or hostname. This defines the list of domains for which the appliance will refuse all mail or the list of hosts from which the appliance will refuse all mail. The denied list takes precedence over the Local Domain listing. Thus, if an admin wanted to define that any host within a particular subnet was allowed to send mail, but subsequently wanted to refuse mail from one or more machines within that subnet, they could set up a denied domain entry which covers the forbidden machines, and that would result in those machines being unable to send mail. Likewise, if an admin wanted to refuse mail for some external domain, they could also specify that domain as a denied domain.
Finally, we have the Permitted domain. A Permitted Domain entry takes precedence over any Denied Domain entry present. Thus, an admin could use a Permitted Domain entry to allow an exception to a denied domain rule. Like in the other two cases, a Permitted Domain can be entered as a domain name or as an IP or host name. Most commonly, the permitted domain would be used as an IP address or hostname, however, since it's being used to override Denied domains.
Note that if Anti-Relay blocks a message from coming in, the reports will show that Anti-Relay is what blocked the message. Additionally, depending on whether the block was an IP-based block or a domain-based block will determine whether a recipient email might show up in the reports.
I hope this helps!