Penetration testing shows a report that Symantec Messaging Gateway (SMG) allows usage of VRFY and EXPN commands.
SMG sends a 252 response to commands that are restricted by default. Some penetration testing can interpret this as a allowed command by seeing a response.
Example commands and responses from SMG:
vrfy [email protected]
252 2.0.0 vrfy restricted
expn [email protected]
252 2.0.0 expn restricted
Verify the SMTP commands you want to use are not allowed by testing with a telnet connection to your SMG over port 25.