Skip to main content


Dovecot was designed since the beginning with security in mind and with many ways to provide privilege separation. Although the code is written with C, it's a little bit special C variant that makes it much more difficult to write security holes accidentally than with most other C-based projects.

Please see for more information how to report bugs.

Below is the list of all security holes found from Dovecot. Note that most of these are quite minor holes.

Second security hole in Dovecot: Off-by-one buffer overflow with mmap_disable=yes. Actual exploitability isn't known. If it is, it would have fit the rules.

First actual security hole in Dovecot: Mailbox names list disclosure with mboxes. Since the mailboxes can't actually be opened, I don't consider this to fit the rules above.