Followup:
Received help on serverfault.com. Fix was to edit 10-master.conf. In the service auth { … } section, setting either:
extra_groups = vmail
or
group = vmail
…allows things to work.
Is there a better way to fix/configure this?
thanks.
Paul