cyrus-imapd reports:
When creating a missing mailbox as part of a sieve "fileinto" directive, lmtpd would create it as administrator, bypassing ACL checks.