postfix, dovecot, dovecot-sasl, ldap, and static UIDs for NFS-shared email storage

I'm trying to build a Ubuntu 12.04 mail server as such.

Must: Auth against an existing Open-LDAP server. Storage in Maildirs on an existing NFS server, everything owned by 8:8 (mail:mail). Auth is required for smtp and imap.

Should (I think): Postfix using Dovecot SASL.

Things work ok except, when I am using ldap for userdb:

userdb {
driver = ldap
args = /etc/dovecot/ldap-userdb.conf.ext
}

... then the maildir files are read/written as the UID:GID from LDAP. But the mail has to be owned by 8:8 (because of other mail servers) I get errors like:

Error: open(/var/mail/...) ...
 failed: Permission denied (euid=1193(<...>) egid=555(<...>) missing +r perm
.... dir owned by 8:8 ...

but if I use static userdb:

userdb {
 driver = static
 args = uid=8 gid=8 home=/var/mail/%u
}

...then when sending mail from one ldap user to another ldap user on the new mail server then i get an error: (emailing to [email protected])

postfix/local[32371]: C6F7561735: to=<[email protected]>, 
 relay=local, delay=0.04, delays=0.02/0.01/0/0.01, dsn=5.1.1, 
 status=bounced (unknown user: "timmytester")

...but emailing to outside the local domains works fine.

It SEEMS to me that using static userdb interferes with Dovecot providing SASL. So I tried to just slip in the 8:8 to the ldap userdb config: (I use the same config file for passdb and userdb for ldap, symlinked)

uris = ldap://ldapserver.domain.com
 dn = cn=admin,dc=domain,dc=COM
 dnpass = secretPW
 auth_bind = no
 ldap_version = 3
 base = ou=Users, dc=DOMAIN, dc=COM
 pass_attrs = uid=user,userPassword=password

 user_attrs = uid=8,gid=8 # <--- here i tried to cheat.

 pass_filter = (&(objectClass=mailUser)(|(mailDestination=%u)(uid=%n)))
 default_pass_scheme = SSHA

... and this replicates the static userdb problem. Unknown User. But at least it seems I CAN do static-like assignments here.

If my mail could be owned by the real uid:gid then I would be good. Postfix virtual users, virutal domains, all that stuff seems to be fine. Just when Dovecot goes 8:8, then postfix gets bad SASL answers? To be clear, the file access problem goes away when I go static uid:gid. And the unknown user problem goes away when I go normal ldap userdb. I can even chmod 777 a maildir and be fine until a new mail gets processed by the old mail server and stored as 600.

Do I need to use a different SASL package? Or can I get dovecot to do file access 8:8 while still making postfix happy?