Our organization is currently being tested by a IT security firm who have stated that while our internet facing mail gateway is not an open relay, they can connect to it on port 25 using telnet and check if an internal address is valid or not using RCPT TO.
The firm has stated that this leaves us open to address enumeration, phishing of our staff, and an exposed service with no authentication requirement that may lead to compromise.
As an organization we have to accept email from any legitimate public email address but we of course have protections in place for spam etc.
I have been told that unauthenticated telnet or similar types of connections to port 25 of our external gateway should be blocked but I don't see a way of this being possible or am I incorrect in saying so.
I'm facing the same quandary regarding being told that we should prevent our email addresses from being verified in this or any other way to prevent enumeration. I don't see a way to do this given the nature of our organizations business and the need to ensure members of the public know that they have contacted a legitimate address in our organization.
Any advice is greatly appreciated.