There's countless ways in, if someone is *that* good, it's near enough impossible to safeguard against 100%. Like Jim says, 9 times out of 10 it's weak passwords and/or someone being careless with theirs, giving it out (to anyone) or writing it down.

And yes, SMTP can be vulnerable, *any* open ports can be vulnerable. Check SecurityFocus.com etc. for known loopholes against your particular version.