Some commands' use should also be limited or completely prohibited. For starters, deprecated commands (SEND, SOML, SAML, TURN, HELP) should be blocked. Although they theoretically pose no danger, a basic rule in security is to be paranoid. If they are not to be used, they should be intercepted at the wrapper and never reach the real daemon.
NOOP is a similar case: This command does not need to get to the server. However, it can perfectly be implemented at the wrapper - we already know it will return a success (250) message.
VRFY and EXPN pose a different situation: These instructions should simply be blocked. The Internet is no longer a network we can trust in, and usually, when someone is querying for mail addresses it is an attempt to build a spamming directory, or to learn something about our system in order to try to crack his way in. The commands must not only block requests returning an error code indicating the address does not exist, but also log the attempt.