Note: If not and you have a default policy to add firstname.lastname@example.org to “all recipient types” when you add a contact it will add an externally accessible email@example.com email address to your externally contact and will forward mail to the external contact firstname.lastname@example.org for example. (yes ouch)
2) DO NOT use SBS Management Console to edit your distribution groups. If you open the groups the contacts will not show up at all which can be quite scary. Get in the habit of always using Exchange Management Console instead, under “recipient configuration” to create your contacts and distribution lists.
3) DO NOT use AD users and computers editor for group changes
4) Go back through any contacts or groups that have already inherited the policies. Uncheck “apply email recipient policies” (you can do this in bulk) and then edit the groups and contacts to delete the excess SMTP addresses that may exist. Otherwise email will continue to relay from email@example.com to external contacts!
Note: Any X400 or X500 address should NOT be deleted. If they are deleted existing references may be messed up especially in a migration situation. They may need fixed on a case by case basis.
5) As new contacts are added reconfirm that “apply email recipient policies” is unchecked (just in case) and confirm no excess addresses are created. If so deleted aliases as necessary.
6) Set all Contacts to (authenticated only) and as time permits clean up the excess SMTP addresses. This will prevent external users from sending to your contacts.
For distribution groups you may or may not want to set all the groups to require authentication. (i.e. let other domain addresses to send to firstname.lastname@example.org )