I use Postfix, which I believe has a pretty good (though not spotless) security track record. The most recent CVE for it seems to have been in 2017, and that was local privilege escalation.

I run Postfix. The author (Wietse) himself is very active on the mailinglist and happy to answer questions.

Postfix is rock solid in my experience. And probably more flexible than people give it credit for. There’s a ton of configurability. I’ve used it for over a decade now and every issue I’ve run into has been my error or something else in the stack or path.

People usually don't choose it. It's the usual hosting providers mail service of choice, because it's so easy to configure for thousands of domains and users. Not just cPanel, almost everybody.

opensmptd (which seems a) to have a simple config and b) is a new implementation). Though you then still need Dovecot or co. for mailboxes (unless you prefer SSH for that).

Disclaimer: just reading about opensmtp, I'm using postfix

Dovecot is an IMAP server while exim, sendmail, postfix, and opensmtp (I guess) are SMTP servers (aka MTAs). An SMTP server is for sending/forwarding mails to or through, and IMAP (or POP3 or new-fangled jmap, supposedly) is what your mail program uses to browse your received mails and mailboxes etc.

I'm well aware of this distinction, yet it's also part of the equation when looking at "how to secure my email-server"

Notqmail ;)

An E-Mail client not written in C to start with.

> An E-Mail client not written in C to start with.

Exim is an SMTP server (MTA), not an email client (MUA).

Fair enough. Doesn't fix the buffer overflow though.

Which non-C MTA would you recommend?

There's maddy, but it's very new and not very popular.

Someone using a rust implementation of telnet listening to port 25 to answer incoming requests.

> Thunderbird

Thunderbird is an MUA and is not a substitute for an MTA like Exim.