I ran the MAPS/abuse.net relay test against my qmail system and it reported that my system may be an open relay. But I've checked and double-checked the contents of my control/rcpthosts file and this simply shouldn't be so. What am I doing wrong ? Is qmail broken ? How do I fix it ?
This is the Frequently Given Answer to that question.
The MAPS/abuse.net relay test is just one of several "open relay" testers that are, quite simply, wrong, and the answers to your questions are just MAPS/qmail-specific versions of the general answers at the aforementioned hyperlinked page.
You aren't doing anything wrong. qmail is not broken. It is the MAPS/abuse.net relay tester that is broken.
qmail is strictly RFC 822 compliant by default, in that it does not support the non-standard "percent hack" out of the box. You have to deliberately enable that mechanism if you really want it.
Unless you have very strange ideas about user naming, local users on your system will not have percent characters in their names, and qmail (specifically qmail-lspawn) will bounce mail employing the "percent hack". If you do have such users on your system, qmail will just deliver the mail locally to that user. In neither case, however, will qmail relay the mail anywhere else. So it cannot possibly be categorised as an open relay, whichever of the two actions it performs.