Hello Dovecot Team,

During my tests I setup a global ACL allowing mailbox create for all authenticated users. Then, I made a mistake in Thunderbird, tried to create a mailbox directly on the "/shared/" special folder.

Dovecot created a folder in the global root path of our mail store. Since I use maildir:/var/vmail/%d/%n/mail as mail_location, it created the mailbox in /var/vmail (where my domains are).

It was just a test and I can imagine allowing create permission to all users whatever the path is not a good idea nor a common use case but still, it's probably worth reporting.

Keep up the good work Cheers

Loïc Gomez