Quoting guard: > I'm wonderig if dovecot have any mechanism which prevent sql injection? I didn't check deeper, but there's code which uses mysql's escape function. Should be even save without that, as long as you are not messing with auth_username_chars.