Dovecot was designed since the beginning with security in mind and with many ways to provide privilege separation. Although the code is written with C, it's a little bit special C variant that makes it much more difficult to write security holes accidentally than with most other C-based projects.
Please see https://www.dovecot.org/bugreport-mail for more information how to report bugs.
Below is the list of all security holes found from Dovecot. Note that most of these are quite minor holes.
zlib plugin allows opening any gziped mboxes. I guess this would have fit the rules, although it's pretty rarely used.
Second security hole in Dovecot: Off-by-one buffer overflow with mmap_disable=yes. Actual exploitability isn't known. If it is, it would have fit the rules.