qmail last had an official release in the late 90's.
everything else is third-party forks / patches. Back in the day, I upgraded many systems from sendmail to qmail. However, that was a very long time ago... It's been over 15 years since I've done something like that.
Nowadays, the author should be telling people to install postfix.
The app is vulnerable if it runs in an unsafe environment that allows qmail to access more than 4GB (an absurdly large value when qmail was published in 1997 -- it would cost $5000 plus a rare, expensive machine to hold it).
djb's view is that the environment is the responsibility of the admin, not the program's responsibility to enforce sane defaults. This is of course debatable.
If the admin uses a recommended environment (low memory limit), there is no exploitability.
I meant: my parent comment (@allover) was missing a reference to how ES is insecure by default, this community gives them heck (rightly so) and that this comparison (qmail v. ES) could have been added (ie: was missing) from his post.
For a result of: this is a qmail bug that could/should be fixed AND ES should fix theirs too.
I'm for sure (I thought obviously) not excusing either qmail or ES from being insecure by default or for their "fix" to be: "you're doing it wrong".
I don't think my karma will ever recover from this (Tiger King joke)
Nowadays, the author should be telling people to install postfix.