If you use hMailServer and are a novice be careful to check that box that says require smtp authentication for local to external messages. You can find this box in the ip ranges section of hMailServer Administrator. I learned this lesson the hard way when a spoofer sent tens of thousands of spam emails through my server.
I never much even looked at that little box before. But if you do not check it an email can go to the server that looks like it is from you and it will send it out to whoever you address it to. It shocks me that it would even be an option not to have that enabled.