Checking the PGP signature is always a good idea, especially nowadays when so many software packages have been trojaned. I verify the signature automatically twice a day, but that might not be enough for you. You should find my public key 40558AC9 from wwwkeys.pgp.net with a signature path leading to Debian developers (CAEAAF03 one).
Instructions for upgrading to a newer version.
You can get the latest development code from Dovecot's Github repository. Note that since it's constantly in development, it may be more or less broken. See instructions in wiki for how to compile it.
You can also get nightly v2.2 snapshots. They don't require you to have autotools installed.
Unofficial patches can be found here.
Some extra tools can be found here.