With Exchange 2010 the default Receive Connectors are restricted so that they cannot accept e-mail from unauthenticated senders. Unless you are using a smarthost to relay mail to your Exchange Servers or are using an Edge Transport server then this will result in servers sending e-mail directly to your server to be denied a connection.
To resolve this using the Exchange Management Console navigate to Server Configuration > Hub Transport in the top section of the screen ensure the Exchange server that will receive e-mail for your domain (this would be the server that port 25 is being forwarded to) is highlighted and then right click on the receive connector that starts with Default and select properties. Click the Permission Groups tab and put a check in the box for Anonymous Users. Click OK.
If you receive e-mail directly to your Exchange Server and not a 3rd party host and you don’t do this then you will need to provide every server sending you e-mail with authentication details so that they can connect. This is obviously not an option.