SMTP Relay to Smart host only accepting authoritative domains

Hi Neil Sands,
Welcome to Experts Exchange.
-->But I need to make sure emails coming from other systems inside of the domain are using an authoritative domain to send email via my SMTP servers.
I am not clear on your query. Please elaborate.
Do you mean your outlook clients or do you have another(3rdparty) email program using the same SMTP server.
Receive Connectors are responsible for receiving incoming emails sent to a Transport server. This includes emails sent from Mailbox Servers, POP3 and IMAP clients, and other hosts or applications sending via SMTP.
Server will use "Send connector" to send emails to external users. In your case it goes to SMTP smart host.

Thanks
MAS

So basically you wanted to use your email server as SMTP relay for your internal servers so that they can send emails out, correct?

In that case create one custom receive connector as mentioned in below blog
https://practical365.com/exchange-server/exchange-2013-configure-smtp-relay-connector/
Ensure that u will add all internal servers ip / subnet which need to send emails through your exchange server (relay)
This would allow you to receive emails from your internal servers and then use your send connector to get it out

Agree with Mahesh if you want other devices (e.g. Scanner, printer etc) use Exchange server for sending emails out you can follow article posted by Mahesh.  You don't need additional send connector Exchange will use the same send connector for sending emails out. An additional receive connector with the IPs required to relay would be enough.

@Mahesh
Good write up Mahesh. :))

There are no Outlook clients that use the SMTP servers.  I have the default frontend and hub transports scoped so only internal servers can send email to the SMTP servers.  We use O365 as our primary email system.  These SMTP servers are for internal IBM systems to email.  I already have it all set up and working fine.  This is to satisfy a Rapid7 scan.  Rapid7 can send an email as user@example.com.  I need to lock the SMTP servers down so only an authorized domain can send a message out.  I currently have send connectors set to go to specific smart host.  Depending on which SMTP server gets the email, will determine which smart host gets the message.  I had to use port 25 on the default hub transport due to default mail routing.  If an email is sent to a specific SMTP server it has to stay on that SMTP server to be delivered to the specific smart host.  So the task is using the current set up to only allow authorized domains to send to the SMTP servers internally.  No external email can get to or use the servers.  Again, this is just to satisfy a Rapid7 scan.  As crazy as this sounds. Here is the other twist.  I can't require basic authentication or TLS due to the systems don't support this.  Some do, but the most important system does not.  Great dilemma I have been tasked with.

Emails hit the smart host then out to internet.  The last paragraph hit the mark. That's what I thought. I was just making sure. I didn't want to persuade any answers. Thanks guys. Always appreciate the input.

Thanks for the quick responses.  I was just confirming what I knew.  I needed others to back me when I tell them the solution. I can make it do what they want, but it will break the current email processing.

Emails hit the smart host then out to internet.

You are right, once you configured relay connector, no matter its internal / external, connector will accept any *from* address