I am busy migrating. I am moving from macOS+MacPorts to Ubuntu+Docker

On the old system, I have this in the dovecot config:
mail_uid = _dovecot
mail_gid = mail
mail_privileged_group = mail
mail_access_groups = mail

This seems weird to me, I think the dovecot user should be in group dovecot only if I understand the docs. On the old system dovecot, postfix, dovenull and rspamd are all members of the mail group.

On that system, the cram md5 passwd database (file) has these permissions:

drwxr-xr-x   3 root  wheel    96 Feb  2  2021 .
drwxr-xr-x  22 root  admin   704 Jan  4 15:17 ..
-rw-r-----   1 root  mail   1234 Feb  2  2021 cram-md5.pwd

and that has worked like that for many years, basically starting with Mac OS X Server, surviving all kinds of macOS migrations.

On my new Ubuntu system I've copied this setup over:
drwxr-xr-x 2 root root 4096 Jan  4 09:49 .
drwxr-xr-x 7 root root 4096 Jan  4 15:21 ..
-rw-r----- 1 root mail 1234 Feb  2  2021 cram-md5.pwd

mail_uid = dovecot
mail_gid = mail
mail_privileged_group = mail
mail_access_groups = mail

Jan 04 15:40:08 auth: Error: passwd-file /etc/dovecot/etc/cram-md5.pwd:open(/etc/dovecot/etc/cram-md5.pwd) failed: Permission denied (euid=91(dovecot) egid=91(dovecot) missing +r perm: /etc/dovecot/etc/cram-md5.pwd, we're not in group 8(mail), dir owned by 0:0 mode=0755)

And really, dovecot is in group mail. From /etc/group:
And from /etc/passwd:

So, that I get this error baffles me.