By definition, a mail server has to be exposed to the internet
This isn't true, as it might be exposed only to an intranet or in some cases, only to localhost. I've come across all three situations in my professional work, and in all cases, I recommend upgrading. Any known vulnerability is likely to be exploited by script kiddies from across the globe, and even servers that aren't themselves connected to the internet can be attacked via
other vectors.
The situation you are in is bad no matter how you look at it. First, you could already be infested with some malware. This might not only harm that company in terms of privacy (e.g. sending all emails that go through your server to an attacker), but it could be actively harming other people if, for example, it was running a bot to DDoS. IANAL but I think you might be able to be held liable if you participate in such attacks due to gross negligence. Second, it sounds like few if any of the employees know enough about FreeBSD to even update it properly (judging by the fact that we don't even know what mail daemon is running). FreeBSD is a joy to use once you know it, but it has a learning curve. Finally, when a system is this out of date, it's much harder to update than if regular updates were performed. If it's literally a decade old as you say, it might actually be easier to start from scratch with a fresh install and just glace at the previous configs to understand how things were configured. If it's using sendmail, I pray for the souls of those responsible for updating/replacing it.
The good news is, once you get in the habit of updating regularly, it's
relatively painless. Obviously you'll still hit bumps in the road, but would you rather deal with a few problems several times a year, or a ton of problems simultaneously once per decade? When something doesn't work, you can point the finger much more quickly if only 5 things were updated instead of 500. However, this is all probably barking up the wrong tree as it seems like your problems are mostly managerial in nature, and hopefully not so much technical.
So how do you get management to listen? Well, show them any of the countless security beaches over the last several decades, and the damage that it has done to those businesses. If that doesn't work, you have basically three options: do nothing, CYA, or quit and find a better place to work. I don't recommend doing nothing, because when something bad happens (and it eventually will), guess where the axe will fall. You can CYA, but the issue persists as a ticking time bomb, and even if your head doesn't roll when the defecation hits the oscillation, you'll be asked to 'fix' the problem, and right quick. This is certainly not a situation I'd enjoy being in. The last option is pretty self explanatory, but ask yourself, "Do I really want to work somewhere that management doesn't hear the cries of their employees?"
