self-answer after some digging [1]. Not sure why I have to specify this. I mean, what is the group used by dovecot by default ?
To make /etc/mail/passwd unreadable by regular users, I did this : groupadd _maildaemons usermod -G _maildaemons _sftpd usermod -G _maildaemons _dovecot chown root:_maildaemons /etc/mail/passwd chmod 640 /etc/mail/passwd In /etc/dovecot/local.conf : service auth { user = $default_internal_user group = _maildaemons } Comments ? [1] : https://wiki.dovecot.org/UserIds