There are two scenarios where users don't have to authenticate:
1) You send to a rdcipient who is on the server.
Then isn't that a security issue? That means i can send mails to any user in our domain and that mail might look like as if the mail has been sent by our MD . I can then send any type of mail to firstname.lastname@example.org
will think that the mail has been sent by email@example.com
, but in reality the mail has actually been sent by firstname.lastname@example.org
- but there is no reference of email@example.com
in the mail.