Another thing I thought of was chrooting, but I don't see any chrooting in your config.
Maybe you could find out something interesting by starting Dovecot with "strace -f -o log dovecot".
15311 setresgid(-1, 5000, -1) = 0 15311 setresuid(-1, 5000, -1) = 0 15311 alarm(30) = 0 15311 chdir("/home/vmail/XXX/thomas") = -1 EACCES (Permission denied) 15311 alarm(0) = 30 15311 geteuid() = 5000 15311 geteuid() = 5000 15311 open("/etc/passwd", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied) 15311 getegid() = 5000 15311 getegid() = 5000 15311 open("/etc/group", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied) 15311 stat("/home/vmail/XXX/thomas", 0x7fffd3a4c4a0) = -1 EACCES (Permission denied) 15311 stat("/home/vmail/XXX", 0x7fffd3a4c4a0) = -1 EACCES (Permission denied) 15311 stat("/home/vmail", 0x7fffd3a4c4a0) = -1 EACCES (Permission denied) 15311 stat("/home", 0x7fffd3a4c4a0) = -1 EACCES (Permission denied) 15311 stat("", 0x7fffd3a4c4a0) = -1 ENOENT (No such file or directory) 15311 time(NULL) = 1297888629 15311 stat("/etc/localtime", 0x7fffd3a4c100) = -1 EACCES (Permission denied) 15311 open("/etc/localtime", O_RDONLY) = -1 EACCES (Permission denied)
Is setresgid(-1,5000,-1) correct? I mean: -1!?