Skip to main content


Dovecot was designed since the beginning with security in mind and with many ways to provide privilege separation. Although the code is written with C, it's a little bit special C variant that makes it much more difficult to write security holes accidentally than with most other C-based projects.

Please see for more information how to report bugs.

Below is the list of all security holes found from Dovecot. Note that most of these are quite minor holes.

ACL plugin had some problems, but it barely counts as a security hole.

zlib plugin allows opening any gziped mboxes. I guess this would have fit the rules, although it's pretty rarely used.

Second security hole in Dovecot: Off-by-one buffer overflow with mmap_disable=yes. Actual exploitability isn't known. If it is, it would have fit the rules.

First actual security hole in Dovecot: Mailbox names list disclosure with mboxes. Since the mailboxes can't actually be opened, I don't consider this to fit the rules above.