Per our help documentation, the VRFY SMTP command can be a security risk in some scenarios and so this is unfortunately not something we can apply a blanket answer to. If you have devices/clients that require the ability to verify mailboxes/expand aliases before sending I'd recommend having it on, otherwise you should be able to test with it turned off to confirm there isn't an impact. Here's our help section on this:

Enable VRFY command - Enable this setting to allow others (including other mail servers) to verify an email address on the server. Note: Some people believe enabling VRFY commands is a security risk, so be sure to research the possible ramifications before enabling this feature.