Nate, nice name.
I'm not familiar with mail2web, what is this, a web based IMAP application? If so, depending on the way the system operates depends on whether or not these entries are updated in smtpd_check_rules. By default, local addresses should not be added to smtpd_check_rules by pop-before-smtp.
As a security concern, I really wouldn't be worried. To be quite honest from a security aspect (unauthorized utilization of your smtpd server as a public relay) pop-before-smtp isn't the most secure solution. A user does not have to authorize to be granted access to the smtpd server, it simply needs to connect on pop3/popSSL/imap to be granted access. However, access is only granted to the smtpd server for a select amount of time (10 Minutes), and, you do have a log file of these connections.
There is no other way to provide access control over smtpd_check_rules without patching the qmail daemon, and even then you wouldn't be able to support IMAP without patching IMAP.
To recap, pop-before-smtp isn't a strict authorization based implemention of the pop-before-smtp logic, however it does require no modification to the system and IP's are only allowed access for a limited duration.
What this means in the real world:
It depends on how much you care about being "exploited". Worst case scenario is you assist in the propogation of SPAM via relaying. There is a trade off with any listening daemon, service versus security. The call is really your own, and from the research I've done this is the only pop-before-smtp implementation for the Obtuse SMTP daemon.
Hope this answered your questions, if you have more feel free to contact me,
Nathan (The guy who wrote pop-before-smtp for e-smith)