Just in case anybody out there is still using qmail: a remote code
execution vulnerability has just been disclosed. Its CVE number is
CVE-2005-1513 because, as it turns out, the problem was reported 15 years
ago but the fix was refused by the maintainer.
“As a proof of concept, we developed a reliable, local and remote exploit
against Debian’s qmail package in its default configuration. This proof
of concept requires 4GB of disk space and 8GB of memory, and allows an
attacker to execute arbitrary shell commands as any user, except root
(and a few system users who do not own their home directory).“

Source: LWN.net – A remote code execution vulnerability in qmail