Yeah, makes sense. I think the permissions for that user/domain got a bit screwed up a while back - most of them are owned by user:user, except where they've been explicitly fixed.
And yes, there are distinct apache and cpanel users.
...oh, and I just found this reply sitting here unposted. :S No idea if I was going to write anything else in it. Oh well.
I just had an odd situation - the directory had stopped letting people in.
Turned out the /home/user/.htpasswds directory had disappeared (thus the passwd file wasn't loaded and user was unrecognised).
After poking around, I found it at /home/user/.neomail/.htpasswds - no idea how it got inside there. :?