Checking the PGP signature is always a good idea, especially nowadays when so many software packages have been trojaned. You can verify Dovecot packages with these keys:
NEW! You can find packages for various distributions under https://repo.dovecot.org/.
Instructions for upgrading to a newer version.
You can get the latest development code from Dovecot's Github repository. Note that since it's constantly in development, it may be more or less broken. See instructions in wiki for how to compile it.
You can also get nightly snapshots. They don't require you to have autotools installed.
Unofficial patches can be found here.
Some extra tools can be found here.