I am getting the following error when Postfix attempts LMTP delivery :

"lmtp(REDACTED)<32674><7Jm0BSVopmaifwAAbW4UVQ>: Fatal: setresgid(121(mailbox_user),121(mailbox_user),8(mail)) failed with euid=111(mailbox_user): Operation not permitted"

mailbox_user is uid 111, gid 121 on my system.

doveconf -n 

============= # 2.3.19.1 (9b53102964): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.19 (4eae2f79) # OS: Linux 6.1.0-22-cloud-amd64 x86_64 Debian 12.6 xfs # Hostname: REDACTED auth_verbose = yes auth_verbose_passwords = sha1:7 doveadm_password = # hidden, use -P to show it first_valid_gid = 121 first_valid_uid = 111 imap_capability = +SPECIAL-USE imapc_features = rfc822.size fetch-headers fetch-bodystructure imapc_port = 993 imapc_ssl = imaps last_valid_gid = 121 last_valid_uid = 111 mail_location = maildir:/mnt/mxData/dovecot/%d/%n/Maildir mail_plugins = notify replication push_notification mail_privileged_group = mail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext namespace inbox { inbox = yes location =  mailbox "Deleted Messages" { auto = no special_use = \Trash } mailbox Drafts { special_use = \Drafts } mailbox Junk { auto = subscribe special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix =  } passdb { args = /etc/dovecot/local_sql_users.conf driver = sql } plugin { sieve = file:~/sieve;active=~/.dovecot.sieve } protocols = imap lmtp sieve service auth { unix_listener /var/spool/postfix/private/dovecot-auth { group = postfix mode = 0660 user = postfix } vsz_limit = 2 G } service doveadm { inet_listener { port = 11867 ssl = yes } } service imap-login { process_min_avail = 5 service_count = 1 } service lmtp { process_min_avail = 5 unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0660 user = postfix } user = mailbox_user } service managesieve-login { inet_listener sieve { port = 4190 } inet_listener sieves { address =  port = 5190 ssl = yes } } ssl = required ssl_cert = <REDACTED ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305 ssl_client_ca_dir = /etc/ssl/certs ssl_dh = # hidden, use -P to show it ssl_key = # hidden, use -P to show it ssl_prefer_server_ciphers = yes userdb { args = /etc/dovecot/local_sql_users.conf default_fields = uid=mailbox_user gid=mailbox_user home=/mnt/mxData/dovecot/%d/%n driver = sql } protocol lmtp { mail_plugins = notify replication push_notification sieve } protocol lda { deliver_log_format = msgid=%m: %$ mail_plugins = notify replication push_notification sieve quota_full_tempfail = yes rejection_reason = Your message to <%t> was automatically rejected:%n%r } protocol imap { mail_max_userip_connections = 20 mail_plugins = notify replication push_notification imap_sieve }

=======

postconf -n

======== alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases authorized_submit_users = biff = no compatibility_level = 2 default_database_type = cdb disable_vrfy_command = yes home_mailbox = Maildir/ indexed = ${default_database_type}:${config_directory}/ inet_interfaces = all inet_protocols = all mailbox_size_limit = 0 message_size_limit = 20480000 mydestination = REDACTED,localhost mydomain = REDACTED myhostname = REDACTED mynetworks = $config_directory/mynetworks mynetworks_style = subnet myorigin = $mydomain parent_domain_matches_subdomains = recipient_delimiter = + smtp_bind_address = 0.0.0.0 smtp_bind_address6 = :: smtp_sasl_auth_enable = no smtp_tls_policy_maps = ${indexed}smtp_tls_policy smtpd_banner = $myhostname ESMTP smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination smtpd_sasl_auth_enable = no smtpd_sasl_local_domain = $myhostname smtpd_sasl_security_options = noanonymous smtpd_sender_restrictions = reject_unknown_sender_domain smtpd_tls_auth_only = yes smtpd_tls_cert_file = REDACTED smtpd_tls_dh1024_param_file = REDACTED smtpd_tls_eecdh_grade = strong smtpd_tls_key_file = REDACTED smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtpd_tls_security_level = may tls_eecdh_strong_curve = prime256v1 tls_preempt_cipherlist = yes tls_random_source = dev:/dev/random virtual_alias_maps = pgsql:${config_directory}/pgsql_virtual.conf virtual_gid_maps = static:121 virtual_mailbox_base = /mnt/mxData/dovecot virtual_mailbox_domains = ${config_directory}/vhosts virtual_mailbox_maps = pgsql:${config_directory}/pgsql_vmap.conf virtual_transport = lmtp:unix:private/dovecot-lmtp virtual_uid_maps = static:111

========