We are sorry to report that we have a bug in dovecot, which merits a
CVE. See details below. If you haven't configured any auth_policy_*
settings you are ok. This is fixed with
Important vulnerability in Dovecot (CVE-2016-8562)
CVSS score: 7.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H)
Affected version(s): 188.8.131.52 up to 184.108.40.206
Fixed in: 220.127.116.11rc1
Short summary: Dovecot auth component can be crashed by remote user when
auth-policy component is activated.
If auth-policy component has been activated in Dovecot, then remote user
can use SASL authentication to crash auth component.
Workaround is to disable auth-policy component until fix is in place.
This can be done by commenting out all auth_policy_* settings.