I didn't see on this thread where he said that he was able to do any of that. He said he had a controller with the capability, but thats all I saw.
But even if we assume that he can do all that with his laptop and desktop, it still doesn't mean that the PLC can. Most plants I am aware of (and EVERY plant should) isolate the process network from the business network and only make provisions for specific identified pieces of equipment and only on an as needed basis. aka whitelisting.
If he is able to telnet to the port of the email server by default,and IT is not aware that he can, he most likely has many other holes in the network perimeter that will someday bite him. A business network is far more open than a process network should ever be so if he can't, IT may still be able to help.
The telnet test will only partially confirm if this is an issue either way. Since you can't run telnet from the controller you cant test it to the endpoint so if his laptop works and the PLC doesn't, the security is likely to be Layer2 based and there still would be an IT solution possible.