Our port is probably still vulnerable to CVE-2006-0709: https://security-tracker.debian.org/tracker/CVE-2006-0709
https://rhn.redhat.com/errata/RHSA-2006-0217.html There are two patches included in the Debian tickets and I can't tell which was applied. They removed the port in 2009, so it's hard to find out. Of course, ideally we'd just remove ours too, but as sthen pointed out comms/hylafax and mail/exmh2 still depend on it.
