Security – Failed PCI Compliance – Port: 21 Protocol: tcp | Summary : attempts some buffer overflows

The result from your PCI scanning service is likely a false positive, though it can be hard to tell. Chances are they matched the version number of your SMTP program, it usually is announced on connection to port 25, and checked that product and version number against a list of known-vulnerable software. And found a match.

Since you are on Centos, the thing you need to do is go through the entire revision history of the SMTP service's RPM releases looking for a changelog that specifies security fixes. Chances are very good that RedHat has backported the buffer overflow vulnerability into the older revision, but you need to backtrack to be certain. Once that's done, you can flag this as a false positive.

Backporting of security patches is one of the main benefits of using a Linux with a support contract. Centos is the same thing, but you don't get to call in about anything you just get security patches.

How to do what you asked:
With CentOS your firewall is controlled by IPTables / netfilter. Although you could add a rule to block UDP port 5353 traffic with (and traditional state rules):

iptables -A INPUT -p udp -m udp --dport 5353 -m state --state NEW -j DROP

Why you shouldn't do what you asked:
However, I believe that PCI compliance requires that your firewalls have default deny policies, meaning you should be dropping all traffic that you do not allow by specific rules and therefore should not need a specific rule like the one above. You would do this in IPTables by having DROP be the default rule or by adding a DROP rule at the bottom of your firewall. Also, this filtering should probably be happening already on a firewall not a server. If CentOS is your firewall this rules will be on the FORWARD chains, not the INPUT chains.

You probably want outside help:
Judging by level of your question, and complexity of implementing full PCI compliance, I sense you are a bit over your head here. That doesn't make you a bad person or bad at your job. However, just like you are asking for help for specifics here (a great thing to do, props as well for not leaving out that this is for PCI compliance) I recommend you get more help from a consultant on PCI implementation as project on the whole. If after thinking about this for a while you feel this is true, you are actually doing your job as best as you can by admitting that seeking outside help is best for the company.