self-answer after some digging [1]. Not sure why I have to specify this. I mean, what is the group used by dovecot by default ?
To make /etc/mail/passwd unreadable by regular users, I did this :
groupadd _maildaemons
usermod -G _maildaemons _sftpd
usermod -G _maildaemons _dovecot
chown root:_maildaemons /etc/mail/passwd
chmod 640 /etc/mail/passwd
In /etc/dovecot/local.conf :
service auth {
user = $default_internal_user
group = _maildaemons
}
Comments ?
[1] : https://wiki.dovecot.org/UserIds
