Global create ACL allows out of boundaries mailbox

[Loïc Gomez]

Hello Dovecot Team,

During my tests I setup a global ACL allowing mailbox create for all authenticated users.
Then, I made a mistake in Thunderbird, tried to create a mailbox directly on the "/shared/"
special folder.

Dovecot created a folder in the global root path of our mail store.
Since I use maildir:/var/vmail/%d/%n/mail as mail_location, it created the mailbox in
/var/vmail (where my domains are).

It was just a test and I can imagine allowing create permission to all users whatever the
path is not a good idea nor a common use case but still, it's probably worth reporting.

Keep up the good work
Cheers

Loïc Gomez