Permissions for mailboxes are set at two different levels. You can define permissions at the database level and at the mailbox level. The mailboxes will inherit access right permissions from the database so I'd recommend you start there. The powershell code to see who has rights and what those rights are at the database level is:
$Database = "your database name here" Get-ADPermission $Database | Where-Object {$_.Deny -eq $False} | Select User,AccessRights
That code will give you a dump of who has DB rights (I'm betting "Everyone" or "Authenticated Users" has full access). Use the Add-ADPermission
and/or Remove-ADPermission
cmdlets in order to re-mediate, remove, and change access rights.
Since you're new to Exchange administration, be extremely careful and use the -Whatif
option where possible. You may also want to consider bringing in an Exchange Administrator on a contract to look over your network and ensure configuration is correct and proper.