The submission service in Dovecot before 2.3.15 allows STARTTLS command injection in lib-smtp. Sensitive information can be redirected to an attacker-controlled address.
https://www.openwall.com/lists/oss-security/2021/06/28/2
https://security.gentoo.org/glsa/202107-41
https://lists.debian.org/debian-lts-announce/2022/09/msg00032.html