I think the original sender and several of the respondents may be confusing 'spam with forged headers' with 'open relaying.'
The original question was not about his relay being hijacked to send spam, it was about mail coming IN to his company xyz.com for [EMAIL PROTECTED] purporting to be from another sender at xyz.com when it really came from somewhere else. That's NOT open relaying, that's forging headers and there's not much you can do about it without breaking things (What if [EMAIL PROTECTED] wants to use her xyz.com return address when she's sending mail from home to [EMAIL PROTECTED] via her local ISP dialup -- Why would you want to block that?) What's the difference if incoming spam has one forged address or another anyway? It's still spam! 'Switching to Postfix', using a 'content security gateway,' or 'TLS' are not going to solve this problem (forging of email headers).
