I just set up the Open Source edition of Zimbra for the first time on a local machine and found out that I can telnet to the SMTP port and send out emails with no authentication whatsoever. I also tried sending emails from Evolution and Outlook using the machine as an unauthenticated SMTP server and all the mails got through so far. It looks as though that Zimbra is set up as an open relay by default.

I have checked the Zimbra admin console and my MTA server settings are as follows:

1) Enable Authenticate (checked)
2) TLS Authentication only (checked)
3) Web mail MTA hostname (set to a domain name that points to my local IP)
4) Web mail MTA port (25)
5) Web mail MTA timeout (empty)
6) Relay MTA for external delivery (empty)
7) External DNS lookups (checked)

Are these MTA settings only for web mail? What do I do to enable SMTP authentication when an external email client wishes to use the server as an authenticated mail relay? Is this possible to set inside the Zimbra admin panels or do I need to edit the postfix configuration files?