Hi,
If i got the drown-attack right disabling SSLv3 and earlier is solving the issue.
I only tested it on 10.6.0-7, by selecting the checkbox "Disable support for SSLv3 and earlier protocols in all SMTP TLS conversations" SMG does not answer with a SSLv2 header handshake and therefore you're fine.
If the option is not set (SSLv3 and earlies enabled) a session header is exchanged - and drown is possible. Even though no ciphers are bound to SSLv2.
This applies only to SMTP (starttls), https is a different story. Just be sure to have port 443 ONLY available from your net.
Thomas