Somehow I doubt there are any Dovecot setups left that unknowingly have this problem, but it still counts as a security hole. The possibility to cause this problem exists in Dovecot v1.0.rc11 and later.

If you use:

1. passdb ldap with settings:

• auth_bind = yes
• auth_bind_userdn = no
• base containing %variables required for unique user identification, e.g. base = dc=%d,dc=org
• pass_filter not containing all %variables required for unique user identification
• pass_attrs returning user-specific settings, such as user's home directory

2. userdb prefetch
3. auth_cache_size non-zero (0 is default)

If two users with the same password and same pass_filter variables log in within auth_cache_ttl seconds (1h by default), the second user may get logged in with the first user's cached pass_attrs. For example if pass_attrs contained the user's home/mail directory, this would mean that the second user will be accessing the first user's mails.

You most likely would have noticed this already by wondering why logins keep failing, unless pass_filter used also some %variables that most of the time uniquely identifies the user. For example %r (remote IP address) or %n (username without domain).

You can fix this by upgrading to v1.0.10 (to be released soon), or using this patch: http://hg.dovecot.org/dovecot-1.0/raw-rev/2cedab21cd6d