diff --git a/mail/docker-mailserver.yaml b/mail/docker-mailserver.yaml
index 78e4744..30afd40 100644
--- a/mail/docker-mailserver.yaml
+++ b/mail/docker-mailserver.yaml
@@ -39,24 +39,28 @@ data:
   SPAMASSASSIN_SPAM_TO_INBOX: "1"
 
   ACCOUNT_PROVISIONER: LDAP
-  LDAP_TLS_REQCERT: never
+
   LDAP_SERVER_HOST: ldap://dc1.undercloud.local:389
-  LDAP_START_TLS: yes
+  LDAP_START_TLS: "yes"
   LDAP_SEARCH_BASE: DC=undercloud,DC=local
   LDAP_BIND_DN: CN=mailserver,OU=serviceaccounts,OU=users,OU=Undercloud,DC=undercloud,DC=local
 
+  # These Postfix LDAP filters may still need AD-specific cleanup later,
+  # but they are not the current IMAP auth blocker:
   LDAP_QUERY_FILTER_DOMAIN: (|(mail=*@%s)(mailAlias=*@%s)(mailGroupMember=*@%s))
   LDAP_QUERY_FILTER_USER: (&(objectClass=person)(mail=%s))
   LDAP_QUERY_FILTER_ALIAS: (&(objectClass=person)(mailAlias=%s))
   LDAP_QUERY_FILTER_SENDERS: (&(objectClass=person)(|(mail=%s)(mailAlias=%s)))
   LDAP_QUERY_FILTER_GROUP: (&(objectClass=group)(mail=%s))
 
-  DOVECOT_AUTH_BIND: yes
+  DOVECOT_URIS: ldap://dc1.undercloud.local:389
+  DOVECOT_TLS: "yes"
+  DOVECOT_AUTH_BIND: "yes"
+  DOVECOT_DN: CN=mailserver,OU=serviceaccounts,OU=users,OU=Undercloud,DC=undercloud,DC=local
   DOVECOT_USER_FILTER: (&(objectClass=user)(sAMAccountName=%n))
   DOVECOT_PASS_FILTER: (&(objectClass=user)(sAMAccountName=%n))
   DOVECOT_PASS_ATTRS: sAMAccountName=user
-  DOVECOT_DN: CN=mailserver,OU=serviceaccounts,OU=users,OU=Undercloud,DC=undercloud,DC=local
-
+  DOVECOT_USER_ATTRS: =home=/var/mail/%{ldap:sAMAccountName},=mail=maildir:~/Maildir,=uid=5000,=gid=5000
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim