diff --git a/docs/content/config/advanced/kubernetes.md b/docs/content/config/advanced/kubernetes.md
index 93cc0884..8a47bffc 100644
--- a/docs/content/config/advanced/kubernetes.md
+++ b/docs/content/config/advanced/kubernetes.md
@@ -190,7 +190,10 @@ spec:
           imagePullPolicy: IfNotPresent
 
           securityContext:
-            allowPrivilegeEscalation: false
+            # Required to support SGID via `postdrop` executable
+            # in `/var/mail-state` for Postfix (maildrop + public dirs):
+            # https://github.com/docker-mailserver/docker-mailserver/pull/3625
+            allowPrivilegeEscalation: true
             readOnlyRootFilesystem: false
             runAsUser: 0
             runAsGroup: 0
diff --git a/target/scripts/startup/setup.d/mail_state.sh b/target/scripts/startup/setup.d/mail_state.sh
index ffc31791..73c2515b 100644
--- a/target/scripts/startup/setup.d/mail_state.sh
+++ b/target/scripts/startup/setup.d/mail_state.sh
@@ -105,10 +105,10 @@ function _setup_save_states() {
     # These two require the postdrop(103) group:
     chgrp -R postdrop "${STATEDIR}"/spool-postfix/{maildrop,public}
 
-    # After changing the group, special bits (set-gid, sticky) may be stripped, restore them:
-    # Ref: https://github.com/docker-mailserver/docker-mailserver/pull/3149#issuecomment-1454981309
-    chmod 1730 "${STATEDIR}/spool-postfix/maildrop"
-    chmod 2710 "${STATEDIR}/spool-postfix/public"
+    # These permissions rely on the `postdrop` binary having the SGID bit set.
+    # Ref: https://github.com/docker-mailserver/docker-mailserver/pull/3625
+    chmod 730 "${STATEDIR}/spool-postfix/maildrop"
+    chmod 710 "${STATEDIR}/spool-postfix/public"
   elif [[ ${ONE_DIR} -eq 1 ]]; then
     _log 'warn' "'ONE_DIR=1' but no volume was mounted to '${STATEDIR}'"
   else