While troubleshooting a bizarre spam issue on a newly upgraded server I came across the following:
http://securitytracker.com/alerts/2008/Sep/1020801.html
The vulnerability can be exploited in one of two ways. The attacker can generate a base64 hash using a bogus username that begins with a valid short name on the server. The other option is to generate a base64 hash of a known valid password on the system. Using either method will cause qmail to successfully authenticate the attacker and allow them to use your Plesk server as a spam relay. The only fix at the time of this writing is to completely disable the use of short names for e-mail authentication.
