|Email Plug-in (Reporting):||1.1.0-129|
|Email Plug-in (Encryption):||1.2.1-151|
Complete these steps in order to disable Telnet:
SMTP (as per RFC5321) is a session-oriented protocol using port 25. So it is true that you can use a telnet client to connect on port 25 on the appliance and inject emails - this is how the SMTP protocol is supposed to work. It is also true that you can use any envelope sender address within the telnet session, but all other mail servers that connect to your appliance could do this as well. This is based on the fact that the SMTP protocol was born without any security features when it was drafted at first. If the envelope sender address spoofing is your concern here, then you could use the envelope sender verification setting in the Mail Flow Policies to tackle this.
For me the main question is if you can inject email with recipients for your domains only or for any domain (e.g. gmail) as well. If mails get accepted for any recipients (even outside of your domain) you may innocently run an open relay server. I'd then recommend to verify if the source IP address you have initiated your telnet session from is listed in a RELAYLIST sender group in the Host Access Table of your appliance. If not, please verify if the Recipient Access Table (RAT) entry "all other recipients" is set to "accept" instead of "reject".