diff --git a/Dockerfile b/Dockerfile
index 4a02cb61..16db5638 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -20,7 +20,10 @@ SHELL ["/bin/bash", "-e", "-o", "pipefail", "-c"]
 # -----------------------------------------------
 
 COPY target/bin/sedfile /usr/local/bin/sedfile
-RUN chmod +x /usr/local/bin/sedfile
+RUN <<EOF
+  chmod +x /usr/local/bin/sedfile
+  adduser --quiet --system --group --disabled-password --home /var/lib/clamav --no-create-home --uid 200 clamav
+EOF
 
 COPY target/scripts/build/* /build/
 COPY target/scripts/helpers/log.sh /usr/local/bin/helpers/log.sh
@@ -31,6 +34,12 @@ RUN /bin/bash /build/packages.sh
 # --- ClamAV & FeshClam -------------------------
 # -----------------------------------------------
 
+# Copy over latest DB updates from official ClamAV image. This is better than running `freshclam`,
+# which would require an extra memory of 500MB+ during an image build.
+# When using `COPY --link`, the `--chown` option is only compatible with numeric ID values.
+# hadolint ignore=DL3021
+COPY --link --chown=200 --from=docker.io/clamav/clamav:latest /var/lib/clamav /var/lib/clamav
+
 RUN <<EOF
   echo '0 */6 * * * clamav /usr/bin/freshclam --quiet' >/etc/cron.d/clamav-freshclam
   chmod 644 /etc/clamav/freshclam.conf
@@ -40,10 +49,6 @@ RUN <<EOF
   rm -rf /var/log/clamav/
 EOF
 
-# Copy over latest DB updates from official ClamAV image. Better than running `freshclam` (which requires extra RAM during build)
-# hadolint ignore=DL3021
-COPY --link --from=docker.io/clamav/clamav:latest /var/lib/clamav /var/lib/clamav
-
 # -----------------------------------------------
 # --- Dovecot -----------------------------------
 # -----------------------------------------------
diff --git a/target/scripts/start-mailserver.sh b/target/scripts/start-mailserver.sh
index 66ac69e0..795b5129 100755
--- a/target/scripts/start-mailserver.sh
+++ b/target/scripts/start-mailserver.sh
@@ -148,7 +148,6 @@ function _register_functions
   # ? >> Fixes
 
   _register_fix_function '_fix_var_mail_permissions'
-  [[ ${ENABLE_AMAVIS} -eq 1 ]] && _register_fix_function '_fix_var_amavis_permissions'
 
   [[ ${ENABLE_CLAMAV} -eq 0 ]] && _register_fix_function '_fix_cleanup_clamav'
   [[ ${ENABLE_SPAMASSASSIN} -eq 0 ]] &&	_register_fix_function '_fix_cleanup_spamassassin'
diff --git a/target/scripts/startup/fixes-stack.sh b/target/scripts/startup/fixes-stack.sh
index 9a2f9615..b118b742 100644
--- a/target/scripts/startup/fixes-stack.sh
+++ b/target/scripts/startup/fixes-stack.sh
@@ -21,16 +21,6 @@ function _fix_var_mail_permissions
   _log 'trace' 'Permissions in /var/mail look OK'
 }
 
-function _fix_var_amavis_permissions
-{
-  local AMAVIS_STATE_DIR='/var/mail-state/lib-amavis'
-  [[ ${ONE_DIR} -eq 0 ]] && AMAVIS_STATE_DIR="/var/lib/amavis"
-  [[ ! -e ${AMAVIS_STATE_DIR} ]] && return 0
-
-  _log 'trace' 'Fixing Amavis permissions'
-  chown -hR amavis:amavis "${AMAVIS_STATE_DIR}" || _shutdown 'Failed to fix Amavis permissions'
-}
-
 function _fix_cleanup_clamav
 {
   _log 'trace' 'Cleaning up disabled ClamAV'
diff --git a/target/scripts/startup/misc-stack.sh b/target/scripts/startup/misc-stack.sh
index 0c78fa76..ca014453 100644
--- a/target/scripts/startup/misc-stack.sh
+++ b/target/scripts/startup/misc-stack.sh
@@ -21,6 +21,7 @@ function _misc_save_states
   then
     _log 'debug' "Consolidating all state onto ${STATEDIR}"
 
+    # Always enabled features:
     FILES=(
       spool/postfix
       lib/postfix
@@ -33,8 +34,8 @@ function _misc_save_states
     [[ ${ENABLE_FAIL2BAN} -eq 1 ]] && FILES+=('lib/fail2ban')
     [[ ${ENABLE_FETCHMAIL} -eq 1 ]] && FILES+=('lib/fetchmail')
     [[ ${ENABLE_POSTGREY} -eq 1 ]] && FILES+=('lib/postgrey')
-    [[ ${ENABLE_RSPAMD} -ne 1 ]] && FILES+=('lib/rspamd')
-    # [[ ${ENABLE_RSPAMD} -ne 1 ]] && FILES+=('lib/redis')
+    [[ ${ENABLE_RSPAMD} -eq 1 ]] && FILES+=('lib/rspamd')
+    # [[ ${ENABLE_RSPAMD} -eq 1 ]] && FILES+=('lib/redis')
     [[ ${ENABLE_SPAMASSASSIN} -eq 1 ]] && FILES+=('lib/spamassassin')
     [[ ${SMTP_ONLY} -ne 1 ]] && FILES+=('lib/dovecot')
 
@@ -43,36 +44,48 @@ function _misc_save_states
       DEST="${STATEDIR}/${FILE//\//-}"
       FILE="/var/${FILE}"
 
+      # If relevant content is found in /var/mail-state (presumably a volume mount),
+      # use it instead. Otherwise copy over any missing directories checked.
       if [[ -d ${DEST} ]]
       then
         _log 'trace' "Destination ${DEST} exists, linking ${FILE} to it"
+        # Original content from image no longer relevant, remove it:
         rm -rf "${FILE}"
-        ln -s "${DEST}" "${FILE}"
       elif [[ -d ${FILE} ]]
       then
         _log 'trace' "Moving contents of ${FILE} to ${DEST}"
+        # Empty volume was mounted, or new content from enabling a feature ENV:
         mv "${FILE}" "${DEST}"
-        ln -s "${DEST}" "${FILE}"
-      else
-        _log 'trace' "Linking ${FILE} to ${DEST}"
-        mkdir -p "${DEST}"
-        ln -s "${DEST}" "${FILE}"
       fi
+
+      # Symlink the original path in the container ($FILE) to be
+      # sourced from assocaiated path in /var/mail-state/ ($DEST):
+      ln -s "${DEST}" "${FILE}"
     done
 
+    # This ensures the user and group of the files from the external mount have their
+    # numeric ID values in sync. New releases where the installed packages order changes
+    # can change the values in the Docker image, causing an ownership mismatch.
+    # NOTE: More details about users and groups added during image builds are documented here:
+    # https://github.com/docker-mailserver/docker-mailserver/pull/3011#issuecomment-1399120252
     _log 'trace' 'Fixing /var/mail-state/* permissions'
-    [[ ${ENABLE_CLAMAV} -eq 1 ]] && chown -R clamav /var/mail-state/lib-clamav
-    [[ ${ENABLE_SPAMASSASSIN} -eq 1 ]] && chown -R debian-spamd /var/mail-state/lib-spamassassin
-    [[ ${ENABLE_POSTGREY} -eq 1 ]] && chown -R postgrey /var/mail-state/lib-postgrey
+    [[ ${ENABLE_AMAVIS}       -eq 1 ]] && chown -R amavis:amavis             /var/mail-state/lib-amavis
+    [[ ${ENABLE_CLAMAV}       -eq 1 ]] && chown -R clamav:clamav             /var/mail-state/lib-clamav
+    [[ ${ENABLE_FETCHMAIL}    -eq 1 ]] && chown -R fetchmail:nogroup         /var/mail-state/lib-fetchmail
+    [[ ${ENABLE_POSTGREY}     -eq 1 ]] && chown -R postgrey:postgrey         /var/mail-state/lib-postgrey
+    [[ ${ENABLE_SPAMASSASSIN} -eq 1 ]] && chown -R debian-spamd:debian-spamd /var/mail-state/lib-spamassassin
 
-    chown -R postfix /var/mail-state/lib-postfix
+    chown -R postfix:postfix /var/mail-state/lib-postfix
 
+    # NOTE: The Postfix spool location has mixed owner/groups to take into account:
     # UID = postfix(101): active, bounce, corrupt, defer, deferred, flush, hold, incoming, maildrop, private, public, saved, trace
     # UID = root(0): dev, etc, lib, pid, usr
     # GID = postdrop(103): maildrop, public
     # GID for all other directories is root(0)
+    # NOTE: `spool-postfix/private/` will be set to `postfix:postfix` when Postfix starts / restarts
     # Set most common ownership:
     chown -R postfix:root /var/mail-state/spool-postfix
+    chown root:root /var/mail-state/spool-postfix
     # These two require the postdrop(103) group:
     chgrp -R postdrop /var/mail-state/spool-postfix/maildrop
     chgrp -R postdrop /var/mail-state/spool-postfix/public