xmail serious auth problem

my config server.tab is:
[code]#
# Example configuration file.
# Note : remember to use _REAL_ TABs and " to format this file
#
"RootDomain"    "xmailserver.test"
"SmtpServerDomain"      "xmailserver.test"
"POP3Domain"    "xmailserver.test"
"HeloDomain"    "xmailserver.test"
"PostMaster"    "root@xmailserver.test"
"ErrorsAdmin"   "root@xmailserver.test"
#"TempErrorsAdmin"      "send-failures@xmailserver.test"
#"DefaultSMTPGateways"  "192.168.1.2,192.168.1.15"
"RemoveSpoolErrors"     "0"
"Pop3LogPasswd" "0"
"NoSenderBounce"        "1"
#"DisableEmitAuthUser"  "1"
#"NotifyMsgLinesExtra"  "8"
#"NotifySendLogToSender"        "0"
#"NotifyTryPattern"     "1"
"MaxMTAOps"     "16"
"ReceivedHdrType"       "0"
"FetchHdrTags"  "+X-Deliver-To,+Received,To,Cc"
#"SmtpGwConfig" "NeedTLS=1,OutBind=192.168.1.1"
#"EnableCTRL-TLS"       "1"
#"EnableSMTP-TLS"       "1"
#"EnablePOP3-TLS"       "1"
#"SmtpMsgIPBanSpammers" "550 Denied due inclusion of your IP in our spam lists"
#"SmtpMsgIPBanSpamAddress"      "550 Denied due inclusion of your email address in our spam lists"
#"SmtpMsgIPBanMaps"     "550 Denied due inclusion of your IP in the following map"
#"CustomSMTPMessage"    "Please open http://www.xmailserver.test/smtp_errors.html to get more information about this error"
#"MaxMessageSize"       "20000"
"EnableAuthSMTP-POP3"   "0"
#"Pop3SyncErrorAccount" "psync-errors@xmailserver.test"
#"AllowNullSender"      "1"
"AllowSmtpVRFY" "1"
"AllowSmtpETRN" "1"
#"SMTP-MaxErrors"       "4"
#"SmtpMinDiskSpace"     "100000"
#"SmtpMinVirtMemSpace"  "64000"
#"Pop3MinVirtMemSpace"  "64000"
#"CustMapsList" "list.dsbl.org.:1,blackholes.mail-abuse.org.:1,dialups.mail-abuse.org.:0"
"SMTP-RDNSCheck"        "1"
"CheckMailerDomain"     "1"
#"SmartDNSHost" "dns.home.bogus.net:tcp,192.168.1.1:udp"
#"SmtpConfig"   "mail-auth"
#"SmtpConfig-192.168.0.2"       "mail-auth"
"DefaultSmtpPerms"      "MRVZ"

[/code]
so my domain xmail serwer passed all relay info from [url]http://www.antispam-ufrj.pads.ufrj.br/[/url]

however i have done some other tests:

1. w xmailu php there is  
SmtpConfig-192_168_0_2 mail-auth
however is guides there is "." instead of "_" so what is correct , is it openwrt specific ?

2. External user (not within local network - so with public IP) can login on serwer on port 25 and send mails between users on local network :(  
[code]220 x.pl <1255951170.49170@x.pl> [XMail 1.26 ESMTP Server] service ready; Mon, 19 Oct 2009 13:19:30 +0200
ehlo x.pl
250-x.pl
250-VRFY
250-ETRN
250-8BITMIME
250-PIPELINING
250-AUTH LOGIN PLAIN CRAM-MD5
250-SIZE
250 STARTTLS
mail from:<dupa@dupa2343.com>
505 Your domain has no DNS/MX entries
mail from:<jadzia@x.pl>
250 OK
rcpt to:<admin@x.pl>
250 OK
data[/code]
so it is possible to spam local serwer users from its own serwer. This can overload the serwer :(

3. Sending as users o external network does not work (as page in top shows - so the serwer is not an relay)

[code]20 x.pl <1255951501.51218@x.pl> [XMail 1.26 ESMTP Server] service ready; Mon, 19 Oct 2009 13:25:01 +0200
ehlo cezary.com
250-x.pl
250-VRFY
250-ETRN
250-8BITMIME
250-PIPELINING
250-AUTH LOGIN PLAIN CRAM-MD5
250-SIZE
250 STARTTLS
mail from:<admin@x.pl>
250 OK
rcpt to:<adam@gmail.com>
550 Relay denied
quit[/code]
4. And it is possible to spam users with from recipents
[code]220 x.pl <1255959132.67602@x.pl> [XMail 1.26 ESMTP Server] service                                                                                                           ready; Mon, 19 Oct 2009 15:32:12 +0200
ehlo onet.pl
250-x.pl
250-VRFY
250-ETRN
250-8BITMIME
250-PIPELINING
250-AUTH LOGIN PLAIN CRAM-MD5
250-SIZE
250 STARTTLS
mail from:<obama@whitehouse.gov>
250 OK
rcpt to:<admin@x.pl>
250 OK
data
354 Start mail input; end with <CRLF>.<CRLF>
its word war 3 !!
250 OK <S5C>
q
500 Syntax error, command unrecognized
quit[/code]
how to eliminate case 2 and 4 cause thery are not good :>