Are those indications sufficient for addition to the SSG, perhaps with a low severity?
For the security discussion (non-compliance) portion, it's certainly worth including as a discussion point (and making available as a Rule for parties who may have specific use cases where this might really matter). For a baseline with a wide audience such as the STIG, I had argued against inclusion. But if you feel that there's value in enforcing this as a compliance check (which is to say, that the security benefits outweigh the costs as part of maintaining the baseline as well as of enforcement itself), please say so and throw a patch up to the list.
And this is why I'm interested in participating in this community, because it is way easier to make good arguments for risk acceptance or avoidance when the provenance of the requirements is known. I'm with Jeffery on this one, but good luck getting this past anyone who is used to the old rules, or is simply applying the RHEL 5 profile to RHEL 6. Grr.
I'm also in favor of postfix, although we never did get the RHEL 5 CIS benchmark to recommend deprecation of sendmail.
Andrew