Qmail can be used as an attack vector to exploit bash vulnerable to CVE-2014-6271 (aka shellshock). This can be used to execute arbitrary commands as any valid user with a .qmail containing a program delivery. Common uses of program delivery are procmail, ezmlm, spam checkers, etc. As has already been said, upgrade your bash now!