Yes, apparently qmail:
qmail is a vector for CVE-2014-6271 (bash "shellshock")
John Levine wrote:
Depends how your computer is set up. Qmail uses /bin/sh for command
deliveries, and it puts parameters in environment variables, so if
your /bin/sh is actually bash (a bad idea but very common on linux
systems) bad stuff can happen.
I would think that sendmail and postfix .forward files would have the
Postfix is not a vector for shellshock, explicitly stated here:
Don't know about sendmail, although we would probably hear
about it by now if it were.
ietf-822 mailing list