The Hub Transport server is set for authentication out-of-the-box. Its role was not really designed to be outward facing towards the WAN. For Norman to deliver mail to a client with a Hub transport server, you need to set your Receive Connector to allow anonymous access.
The SMTP logs of a test message from Norman’s delivery server to a Hub Transport server, which has not turned anonymous access on, will return the standard Client not authenticated message:
“return-path address <name@sender.com> rejected by mail.mydomain.com : 454 5.7.3 Client was not authenticated.”
Italia