And sometimes it's not your fault. For example, we had some huge legacy NAS that sent storage alerts through unauthenticated SMTP, and wouldn't want anything else. We threw together a Python SMTP server (surprisingly easy) that received those alerts, logged them, and relayed them through properly authenticated SMTP.

Nothing was exposed to the Internet, but one of my small fears was seeing spam in the log of that service, that would mean a serious breach.