FWIW, Virtualmin does not enable the master user feature of Dovecot. It is not enabled by default on RHEL8 derived systems, and I’m pretty confident it is not enabled by default on any of our supported systems.
I believe this means Virtualmin systems are not subject to this CVE, unless the user has modified their Dovecot config to enable master user support. But, no harm in updating, either.