Is your server currently acting as an open relay? That's not the standard config, like Phoenix says.
I dont understand your question of why does Zimbra not disallow such a configuration though, as in some circumstances, it may be required behaviour.
To test that your system is not allowing relay try this:
You should get a 550 response to that last line, which is the server rejecting your mail rather than accepting it and then bouncing it to the 'sender' which is of course, the victim address.
telnet mail.yourzimbraserver.tld 25
mail from: firstname.lastname@example.org
rcpt to: invaliduser@yourRealDomain.com