No matter what you do to main.cf and master.cf every time you restart the Zentyal server it will be undone.
Go change the heck out of it then run the following command to test it out:
sudo service Zentyal mail restart
So holy cow, what happened? if you go to /usr/share/Zentyal/stubs/mail you'll see what are called stub files like main.cf.mas and master.cf.mas - but you don't edit those either. Make the following 2 directories like so:
sudo mkdir -p /etc/Zentyal/stubs
sudo mkdir -p /etc/Zentyal/stubs/mail
Now copy main.cf.mas and master.cf.mas over to the /etc/Zentyal/stubs/mail from /usr/share/Zentyal/stubs/mail and you have 2 stubs files to edit.
Inside of these files you can find the place to turn off basic authentication, and tighten down the settings.
By default Zentyal does NOT allow open relays, but you can setup open relays inside of the Mail configuration from the web GUI. I'd venture a guess that someone didn't read the whole Wiki and couldn't figure out why clients couldn't connect to the server and just opened everything up. Zentyal creates a self signed certificate and you have to go into the admin panel to download it -
https://your servers IP:8443/
Login with any user that is a member of the local sudoers group on the machine and navigate to Mail>Openchange
Click the Download Certificate button and download the Root CA Certificate file.
Now, on every client you have to install that certificate file into the Trusted Root Certificates container - which doesn't happen automatically you have to manually pick that container.
Once that's all done you're good to go and you can connect up to the server like normal and you'll be able to lock down your relay policies.
If you've tinkered with the Firewall settings you're likely going to need to find the default settings for that and revert back too, otherwise the open relay will never be closed.