In certain scenarios it is recommended to enable Header Firewall to prevent a message being created that could possibly spoof X-Headers in to order to imitate an edge transport server and to accept the messages by the receiving server. This is especially the case if you do not use a smart host that removes headers which may disclose too much information about your organisation.
In order to enable (Deny) the Header Firewall you must set the ‘Deny’ permission on the Send connector.
This can be achieved by using the following command;
Add-ADPermission -Identity “<Send Connector>” -User “NT Authority\Anonymous Logon” -ExtendedRights Ms-Exch-Send-Headers-Routing -Deny
By default, no Send (or Receive) connector is configured for Header Firewall.
Deans Blog 