in the servers configuration under "Router/SMTP -> Restrictions & Controls -> SMTP Inbound Controls" you set:
"Exceptions for authenticated users: Allow all authenticated users to relay"

But be careful and set an event generator/handler to alert you in case of unexpected number of routing events, so that you realize when the credentials have been compromised and you are converted to a spam relay.

Second server not an option.

In Configuration doc, I had:

"Exceptions for authenticated users: Allow all authenticated users to relay:

In SMTP site document, I had for TCP authentication:

Name and Password: Yes (to allow the authentication)

AND

Anonymous: Yes (to allow our incoming email server at our out of house spam service to deliver)

With anonymous turned off, no email being delivered to us.

With anonymous turned on, you see this in the logs

11/27/2015 06:50:45 AM  [3240:0023-2A2C] SMTPClient: SMTP Authentication is not required by local server.  Username: -blank-

And spammers are merrily relaying like crazy.

So you set this:

Deny messages from the following internet hosts to be sent to external internet domains: *

And the spammers are rendered helpless, but your IMAP and POP3 users are dead in the water, they can't send.

It's feeling like there isn't a way to win on this one.

Should work the way you have it set - what do you have for  'Perform Anti-Relay enforcement for these connecting hosts:' ?

Have you tried adding and smtp debug

http://dominopeople.ie/blog/?p=388

@Mark, "Should work the way you have it set - what do you have for  'Perform Anti-Relay enforcement for these connecting hosts:' ?"

Hey Mark, I have "All connecting hosts"

@ Barry, "Have you tried adding an smtp debug"

Yep, I got these going.

SMTPDebugIO=3
;DEBUG_THREADID=1
;debug_show_timeout=1
;debug_capture_timeout=1
SMTPClientDebug=1

Also added these based on what I found elsewhere.

SMTPAllowConnectionsAnonymous=1
SMTPVerifyAuthenticatedSender=1
SMTPErrorLimit=5

Problem as described still exists. If I allow authenticated IMAP users to send email. spammers have a field day relaying.

The spammers aren't authenticating - these are anonymous connections?

I have pretty much the same requirement - inbound cannot relay, we have a handful of internal trusted IP addresses, and I have a couple smtp connections that authenticate to relay mail outside.

I do not use either SMTPAllowConnectionsAnonymous=1 or SMTPVerifyAuthenticatedSender=1

However, i DO use:

SMTP_LEFT_DOT_NEVER_DOMAIN=1
SMTPALLHOSTSEXTERNAL=1
SMTPClientDebug=1
SMTPGreeting=%s
SMTPNoVersionInRcvdHdr=1

What do you have in the 'Exclude these connecting hosts from anti-relay checks: field?

What do you have for 'Allow messages to be sent only to the following external internet domains:' ? (should be blank)

How many SMTP Internet site docs do you have? (How many internet site docs in total?)

Try adding 'SMTPALLHOSTSEXTERNAL=1' and see if that helps.

Review this technote: http://www-01.ibm.com/support/docview.wss?uid=swg21385199

Review this pdf:  http://public.dhe.ibm.com/software/dw/lotus/SMTPAuthSpamFinal.pdf

Thanks Mark I will try your notes.ini settings.

Here is a screen cap of the configuration doc you were asking about: https://gyazo.com/d098f18d4ea6fb67c40fa8c6e113bb48

Just one smtp doc, here it is: https://gyazo.com/0796e252bd5c2597abe954af856bcd8f

Thanks for the resource links, they look all too familiar I've stared at them several times in the past going "yep, done all that..." :{

Closing this and giving up; client migrating to Gmail now instead.