Skip to main content


Dovecot was designed since the beginning with security in mind and with many ways to provide privilege separation. Although the code is written with C, it's a little bit special C variant that makes it much more difficult to write security holes accidentally than with most other C-based projects.

Below is the list of all security holes found from Dovecot. Note that most of these are quite minor holes.

Security holes in CMU Sieve plugin. This is why I've kept the Sieve plugin in a separate package.

ACL plugin has mainly been used for some simple ACLs and sysadmin should have always tested that they work correctly. But as the ACL plugin has recently been developed more, bugs have been found and distro people have treated them as security holes. I think it's highly unlikely anyone really cared about those. The brokeness of the functionality would have been immediately obvious.

Blocking passdbs allowed to log in without a valid password in v1.0.11 and v1.0.12 (released 5 days ago).

ACL plugin had some problems, but it barely counts as a security hole.

zlib plugin allows opening any gziped mboxes. I guess this would have fit the rules, although it's pretty rarely used.