It was discovered that the lmtpd component of the Cyrus IMAP server created mailboxes with administrator privileges if the fileinto was used, bypassing ACL checks.