diff --git a/roles/dovecot/tasks/main.yml b/roles/dovecot/tasks/main.yml
index 494559b656266a946a75151fe47a63ef270c5545..d3156553c2f675abc9def9f1e3c0bd715eb1db9e 100644
--- a/roles/dovecot/tasks/main.yml
+++ b/roles/dovecot/tasks/main.yml
@@ -15,6 +15,12 @@
   notify:
     - reload dovecot
 
+- name: add vmail group
+  group: name=vmail gid=5000
+
+- name: add vmail user
+  user: name=vmail uid=5000 shell=/usr/bin/nologin group=vmail
+
 - name: install PAM config
   copy: src=pam.d.dovecot dest=/etc/pam.d/dovecot mode=0644 owner=root group=root
 
diff --git a/roles/dovecot/templates/dovecot.conf.j2 b/roles/dovecot/templates/dovecot.conf.j2
index 9bb7862f1e67ec17304a80147614e372f1cdfb7b..1ccbe83e0999592444f36a483ea9f65bcb524f7c 100644
--- a/roles/dovecot/templates/dovecot.conf.j2
+++ b/roles/dovecot/templates/dovecot.conf.j2
@@ -97,6 +97,8 @@ ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDH
 
 userdb {
 	driver = passwd
+	# https://doc.dovecot.org/configuration_manual/config_file/config_variables/
+	override_fields = uid=vmail gid=vmail home=/home/vmail/%d/%n
 }
 protocol imap {
 	imap_client_workarounds = tb-extra-mailbox-sep