Skip to main content


Dovecot was designed since the beginning with security in mind and with many ways to provide privilege separation. Although the code is written with C, it's a little bit special C variant that makes it much more difficult to write security holes accidentally than with most other C-based projects.

Below is the list of all security holes found from Dovecot. Note that most of these are quite minor holes.

Second security hole in Dovecot: Off-by-one buffer overflow with mmap_disable=yes. Actual exploitability isn't known. If it is, it would have fit the rules.

First actual security hole in Dovecot: Mailbox names list disclosure with mboxes. Since the mailboxes can't actually be opened, I don't consider this to fit the rules above.