dovecot - Jun 2013 - Problem with virtual user mailbox initialization

Hello,

I'm trying to set up a postfix/dovecot server where postfix hands over
incoming mail to dovecot using lmtp virtual transport via a Unix
socket. Dovecot is then supposed to write the mail to
/var/mail/<domain>/<user>/ using a virtual users setup. It seems to
work except for failing when the mailbox is supposed to be initially
created:

Jun 22 03:25:04 lmtp(2400, dkasak at foo.org): Error: user
dkasak at foo.org: Initialization failed: Namespace '':
mkdir(/var/mail/foo.org/dkasak) failed: Permission denied
(euid=5000(postman) egid=5000(postman) missing +w perm: /var/mail,
we're not in group 6(mail), dir owned by 0:6 mode=0775)

As can be seen from the error message, I've set mail_uid and mail_gid
to account/group postman. /var/mail/ is empty and owned by root:mail
so I've also set mail_privileged_group = mail. I was under the
impression that mail_privileged_group is used precisely for these
situations (when dotlocking or initial creation of the mailbox fail
due to insufficient privileges), but it still doesn't work. If I
either set mail_gid = mail, or set mail_access_groups = mail, or
create foo.org/ owned by postman:postman by hand, it works as
expected.

Here is the complete configuration:

# 2.2.2: /usr/local/etc/dovecot/dovecot.conf
# OS: FreeBSD 9.1-RELEASE-p4 i386  ufs
base_dir = /var/run/dovecot/
mail_gid = postman
mail_location = maildir:/var/mail/%d/%n/:LAYOUT=fs
mail_privileged_group = mail
mail_uid = postman
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date ihave
namespace inbox {
  inbox = yes
  location   mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix   separator = /
  type = private
}
passdb {
  args = scheme=CRYPT username_format=%u /etc/dovecot/users
  driver = passwd-file
}
plugin {
  sieve = ~/.dovecot.sieve
  sieve_dir = ~/sieve
}
protocols = imap lmtp
service auth-worker {
  user = $default_internal_user
}
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
  }
}
service imap-login {
  inet_listener imap {
    port = 143
  }
}
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    group = postfix
    mode = 0660
    user = postfix
  }
}
ssl = required
ssl_cert = </etc/ssl/certs/dovecot.pem
ssl_key = </etc/ssl/private/dovecot.pem
userdb {
  args = username_format=%u /etc/dovecot/users
  default_fields = quota_rule=*:storage=2G
  driver = passwd-file
}
protocol imap {
  mail_plugins = " notify mail_log"
}

Any ideas?

-- 
Denis Kasak