There are two scenarios where users don't have to authenticate:
1) You send to a rdcipient who is on the server.
Then isn't that a security issue? That means i can send mails to any user in our domain and that mail might look like as if the mail has been sent by our MD . I can then send any type of mail to email@example.com
will think that the mail has been sent by firstname.lastname@example.org
, but in reality the mail has actually been sent by email@example.com
- but there is no reference of firstname.lastname@example.org
in the mail.