I have one of the requirements from my regional Admins to allow mail relay for their regions. Mostly they want mail relay for;
1.local exchange or SMTP servers.
2. Printers and scanners wants to send emails
3. Devices and Application servers wants to send alert notifications.
4. Some of the devices and servers only support Anonymous permissions settings.
In order to provide this functionality, i can create a site specific receive connector on HUB and allow only their specific server IPs to allow relay emails, but there is a problem, i don't have any control on their site and server security and allowing relay directly to HUB server means their communication is directly terminating to our Enterprise/Business zone which is a high security risk. I thought why shouldn’t i use my edge servers sitting in DMZ zone and allow relay from them? . I have checked connectivity of these sites from DMZ and found that i can reach them. I was researching on it and had also discussed it with one of my friends (Nicolas Blank, an expert in exchange configuration and migration) he also agreed on my idea and had guided me to following article
After reading this article i am now more confident about this configuration, I think that in a scenario where we don't have any control on remote site security and we have a demand to open anonymous security then its better to open relay on edge servers rather then on HUB servers.