diff --git a/manifests/init.pp b/manifests/init.pp
index 58be87c..c9be198 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -27,6 +27,8 @@
   $mail_debug                 = undef,
   # 10-mail.conf
   $mail_location              = undef,
+  $first_valid_uid            = undef,
+  $last_valid_uid             = undef,
   # 10-master.conf
   $default_process_limit      = undef,
   $default_client_limit       = undef,
diff --git a/templates/conf.d/10-mail.conf.erb b/templates/conf.d/10-mail.conf.erb
index 3a740af..21bc5d0 100644
--- a/templates/conf.d/10-mail.conf.erb
+++ b/templates/conf.d/10-mail.conf.erb
@@ -167,8 +167,16 @@ mail_location = <%= @mail_location %>
 # to make sure that users can't log in as daemons or other system users.
 # Note that denying root logins is hardcoded to dovecot binary and can't
 # be done even if first_valid_uid is set to 0.
+<% if @first_valid_uid -%>
+first_valid_uid = <%= @first_valid_uid %>
+<% else %>
 #first_valid_uid = 500
+<% end %>
+<% if @last_valid_uid -%>
+last_valid_uid = <%= @last_valid_uid %>
+<% else %>
 #last_valid_uid = 0
+<% end %>
 
 # Valid GID range for users, defaults to non-root/wheel. Users having
 # non-valid GID as primary group ID aren't allowed to log in. If user