you need to run the tests on your domain or MX name to make sure the relay open.
Yes you need anonymous connections enabled otherwise the servers coming into your network won't be able to send any email through.
The default settings which don't enable relay on the receive connector are:
Permission Groups (tab)
Legacy Exchange Servers
Transport Layer Security (TLS)
Offer Basic authentication only after starting TLS
Exchange Server authentication
Intergrated Windows authenication
We also use have added a bunch of servers to your anti-spam in the Exchange server which cuts down on about 98% of the spam we get without them.
Anti-spam -> IP Block List Providers
All other settings are default.