We recently had a series of incidents in which internal users sent forged SMTP mail. How can we prevent this from happening again?

The SMTP protocol was never designed to provide strong authentication. Over time, SMTP has been extended with a variety of authentication and privacy-protection mechanisms, but in your case, you need only a very simple mechanism.

Users in your organization can reach your SMTP server, so you have a couple of choices. One option is to configure the SMTP virtual servers on your Exchange systems to accept traffic only from one another. A second option is to disable anonymous SMTP on those virtual servers so that users will have to authenticate to the server before they can send their messages. However, neither measure is appropriate for the machine that handles your Internet SMTP traffic. Incoming SMTP traffic is generally anonymous, and you can't typically predict the inbound IP addresses that your server will encounter.

You might consider upgrading to Exchange Server 2003, which includes a change to the SMTP engine that prevents it from attempting to resolve the sender address to a display name for messages that are submitted anonymously. This means that if I use Telnet to submit a message ostensibly from billg@microsoft.com to a Microsoft email server, the server will leave billg@microsoft.com as the sender address instead of resolving the address to the display name that would typically appear. To take full advantage of this functionality, you need to educate your users to be suspicious of mail that purports to be from internal users but that contains a plain SMTP address in the From field.