If either the recipient or sender domain is not part of your environment, the SMG should not relay it. That is the definition of an open relay. Please refer to the below best practice article for configuration pointers and testing for open relay:
http://www.symantec.com/docs/TECH122730
Assuming the mail is not actually being routed via your SMG, but rather is just being sent out directly, I'd personally start with amending your FW rules and go from there to be honest. What I mean is:
- only your mail server(s) is/are allowed to send mail out via the the SMG, and
- that only the SMG is allowed to send mail out at all, so that
- only authorised devices can send out mail
I'd also recommend checking out the logs on your FW to determine if anything other than your mail server is connecting out on port 25, and to find out why they are doing so (i.e. is it infected, is it a legitimate mailer process that has been hijacked to spoof mail, etc).