This is the normal behaviour of mailservers as specified in RFC and has nothing to do with hackers. The email protocol does not specify a sender address verification for emails delivered to local accounts. This does not mean that your server is a open relay.
You might be able to add some verification for this by e.f. using SPF records in your dns server and postfix setup and there are also a lot of UCE configuration options in postfix where you can restrict the senders. But be careful that you do not deny any valid mail deliveries.