I don’t see that it would make a difference–the SMTP server is accessible on red and green. Is it configured to respond differently to the VRFY command between the two? I could probably test this on mine, but it’ll take a bit before I could get to it.
I do agree it’s a false positive, but that’s because I don’t believe the so-called “vulnerability” is actually a vuln–but since they don’t bother to explain why they flag it, it’s kind of hard to say.