diff --git a/charts/mok/README.md b/charts/mok/README.md
index 1c51b608edb4c52174224dfdf580d914aec6fa29..2760d37ccf40bdc03f70b83229979c28e04a0b30 100644
--- a/charts/mok/README.md
+++ b/charts/mok/README.md
@@ -39,6 +39,7 @@ Mail on Kubernetes (MoK) is a project to deploy a functional mailserver that run
| dovecot.securityContext.capabilities.add[2] | string | `"CAP_NET_BIND_SERVICE"` | required to bind privileged ports in the container, such as 993, 143, 24, etc. |
| dovecot.securityContext.capabilities.add[3] | string | `"SETUID"` | required to drop privileges with dovecot process |
| dovecot.securityContext.capabilities.add[4] | string | `"SETGID"` | required to drop privileges with dovecot process |
+| dovecot.securityContext.capabilities.add[5] | string | `"FOWNER"` | required to create spool directories |
| dovecot.securityContext.capabilities.drop[0] | string | `"ALL"` | required to drop privileges by default |
| dovecot.securityContext.runAsNonRoot | bool | `false` | |
| dovecot.service.internal.type | string | `"ClusterIP"` | type of the public endpoint for lmtp, metrics, authentication |
diff --git a/charts/mok/tests/__snapshot__/dovecot_test.yaml.snap b/charts/mok/tests/__snapshot__/dovecot_test.yaml.snap
index a0353e1bfd732c120c983a12b3f3438859db4a0f..638a388a8b093cc35485755a823a812e7187d1f0 100644
--- a/charts/mok/tests/__snapshot__/dovecot_test.yaml.snap
+++ b/charts/mok/tests/__snapshot__/dovecot_test.yaml.snap
@@ -122,6 +122,7 @@ should match snapshot:
- CAP_NET_BIND_SERVICE
- SETUID
- SETGID
+ - FOWNER
drop:
- ALL
runAsNonRoot: false
diff --git a/charts/mok/values.yaml b/charts/mok/values.yaml
index 54b5400a1bd7b2fafcc109d7b2b30f56448ad5af..d18a7cf6aa635c24cab9a22f3bc0a9d26b6c8ea8 100644
--- a/charts/mok/values.yaml
+++ b/charts/mok/values.yaml
@@ -136,6 +136,8 @@ dovecot:
- SETUID
# -- required to drop privileges with dovecot process
- SETGID
+ # -- required to create spool directories
+ - FOWNER
drop:
# -- required to drop privileges by default
- ALL