Dovecot is pretty secure out-of-the box. It uses multiple processes and privilege separation to isolate different parts from each others in case a security hole is found from one part.
Some things you can do more:
Allocate each user their own UID and GID (see UserIds)
Use a separate dovecot-auth user for authentication process (see UserIds)
You can chroot authentication and mail processes (see Chrooting)
Compiling Dovecot with garbage collection (--with-gc configure option) fixes at least in theory any security holes caused by double free()s. However this hasn't been tested much and there may be problems.
There are some security related SSL settings (see SSL/DovecotConfiguration)
Set first/last_valid_uid/gid settings to contain only the range actually used by mail processes