I hesitate to ask when so many admins of enterprise installations are trying to maintain systems used by large user populations, but ... I have a truly dinosaur installation of Smartermail that I use essentially as a personal mail server.  I use POP delivery only -- webmail is not and has never been enabled.  No IIS website is running for Smartermail.  For admin, I RDP to the server and log in to SM's default web server on localhost.  I never like to say never, but can't imagine how my SM installation would answer any http requests from the outside.

Is this safe?  I.e. do any of the recent security issues involve exploits of the SMTP and POP functions of Smartermail?

Upgrade is not an option for me, since Smartermail has evolved into a very complex, very expensive enterprise product which I don't need and can't afford.  I am a holdout from times gone by when Smartermail was a simpler, low-cost product, and it's worked well for literally decades.  I first purchased version 4, as I recall, and my current version is double digit, but not by much.