Dovecot is pretty secure out-of-the box. It uses multiple processes and privilege separation to isolate different parts from each others in case a security hole is found from one part.
Some things you can do more:
Allocate each user their own UID and GID (see UserIds)
Use a separate dovecot-auth user for authentication process (see UserIds)
- You can chroot authentication and mail processes (see ["Chrooting"])
Compiling Dovecot with garbage collection (--with-gc configure option) fixes at least in theory any security holes caused by double free()s. However this hasn't been tested much and there may be problems.
- There are some security related SSL settings (see ["SSL/DovecotConfiguration"])
Set first/last_valid_uid/gid settings to contain only the range actually used by mail processes