buff_size in parse_email() looks as if it'd specify the full length of user and domain parameters, but it may write one byte more for \0. This may create buffer overflow with some software (eg. courier).
sybase module isn't checking user/domain lengths at all. If the program using vpopmail didn't limit them, it'd be easy to overflow. size-parameter for all strncat() calls are wrong.