diff --git a/dovecot.nix b/dovecot.nix
index 7d978f1..33caa73 100644
--- a/dovecot.nix
+++ b/dovecot.nix
@@ -17,6 +17,11 @@ in {
       description = "Directory at which to store server state.";
     };
 
+    mail-directory = mkOption {
+      type = str;
+      description = "Directory at which to store user email.";
+    };
+
     ports = {
       lmtp = mkOption {
         type = port;
@@ -192,7 +197,7 @@ in {
     systemd = {
       tmpfiles.rules = [
         "d ${cfg.state-directory}        0751 ${cfg.mail-user} ${cfg.mail-group} - -"
-        "d ${cfg.state-directory}/mail   0750 ${cfg.mail-user} ${cfg.mail-group} - -"
+        "d ${cfg.mail-directory}         0750 ${cfg.mail-user} ${cfg.mail-group} - -"
         "d ${cfg.state-directory}/sieves 0750 ${config.services.dovecot2.user} ${config.services.dovecot2.group} - -"
       ];
 
@@ -263,7 +268,7 @@ in {
 
         mailUser = cfg.mail-user;
         mailGroup = cfg.mail-group;
-        mailLocation = "maildir:${cfg.state-directory}/mail/%u/";
+        mailLocation = "maildir:${cfg.mail-directory}/%u/";
         createMailUser = false;
 
         sslServerCert = cfg.ssl.certificate;
@@ -357,9 +362,7 @@ in {
           # All users map to one actual system user
           userdb {
             driver = static
-            args = uid=${
-              toString mailUserUid
-            } home=${cfg.state-directory}/mail/%u
+            args = uid=${toString mailUserUid} home=${cfg.mail-directory}/%u
           }
 
           service imap {
diff --git a/mail-server.nix b/mail-server.nix
index 01525ff..2b0d637 100644
--- a/mail-server.nix
+++ b/mail-server.nix
@@ -207,9 +207,10 @@ in {
             "dn = ${cfg.ldap.bind-dn}"
             "dnpass = ${readFile cfg.ldap.bind-password-file}"
             "auth_bind = yes"
-            "auth_bind_userdn = cn=%u,${cfg.ldap.member-ou},${cfg.ldap.base}"
+            "auth_bind_userdn = cn=%n,${cfg.ldap.member-ou},${cfg.ldap.base}"
             "base = ${cfg.ldap.base}"
             "user_filter = (&(objectClass=organizationalPerson)(cn=%n))"
+            "pass_filter = (&(objectClass=organizationalPerson)(cn=%n))"
           ]);
         target-file = "/run/dovecot-secret/ldap.conf";
       };
@@ -220,6 +221,7 @@ in {
       "d ${cfg.state-directory}/dovecot-dhparams   0700 - - - -"
       "d ${cfg.state-directory}/antivirus          0700 - - - -"
       "d ${cfg.state-directory}/dkim               0700 - - - -"
+      "d ${cfg.state-directory}/mail               0700 - - - -"
     ];
 
     virtualisation.arion.projects.mail-server.settings = let
@@ -316,6 +318,7 @@ in {
                 "${hostSecrets.dovecotLdapConfig.target-file}:/run/dovecot2/conf.d/ldap.conf:ro"
                 "${cfg.imap.ssl-directory}:/run/certs/imap"
                 "${cfg.state-directory}/dovecot-dhparams:/var/lib/dhparams"
+                "${cfg.state-directory}/mail:/mail"
               ];
               depends_on = [ "antispam" "ldap-proxy" ];
             };
@@ -329,6 +332,7 @@ in {
                   enable = true;
                   debug = cfg.debug;
                   state-directory = "/state";
+                  mail-directory = "/mail";
                   ports = {
                     lmtp = lmtpPort;
                     auth = authPort;