Thats how SMTP works and is expected. If you didnt allow anonymous messages sent to users within your org, then you wouldnt be able to receive mail from the internet.
Being able to send as any mailbox to your org is also expected because thats simply spoofing. To prevent that I would recommend a good antimalware/anti phishing product.
You can also set this:
Open Relay on the other hand is disabled by default. No one externally should be able to send to another external org through your server.