Quoting guard:
I'm wonderig if dovecot have any mechanism which prevent sql injection?
I didn't check deeper, but there's code which uses mysql's escape
function. Should be even save without that, as long as you are not
messing with auth_username_chars.