namespace public { separator = . prefix = COMPANY. users = someuser @somegroup location = maildir:/home/services/mail/arinbe.com/company/Maildir:CONTROL=%h/shared-se ttings/company/control:INDEX=%h/shared-settings/rootmail/index hidden = no }
Just to close this out (can be read as "hopefully help someone else" or "I like to hear myself talk")...
After spending a few days beating my head against a wall, I finally got this to work...
I had to read and re-read http://www.dovecot.org/list/dovecot/2006-June/013683.html. A dovecot-acl file is not read from the namespace. So for namespace folders I had to use the global vfile:/etc/dovecot-acl folder to create permissions. A dovecot-acl file in one of the shared folders trumps the permissions from global vfile:. The peculiar feature piece is that because namespace folders are not read it doesn't matter for the virtual user. In other words if I have a user named company and share its folders, only the company user will read the dovecot-acl in its folders. Other users accessing that folder as a shared resource will read the global vfile: acl files. This feature worked out great for me.
Using the acl plug-in will "turn off" public namespaces until acl files are put into place. This was hard to understand at first.
Separating things or locking folders down with unix group permissions is pretty much futile. I had to put all my users in all my hosted domains in the same group and open the shared folders permissions to 770 (or 660).
All in all, I am happy with the result.
Thanks,
Jim