diff --git a/docs/installation/docker.md b/docs/installation/docker.md
index c421bbd1e..77b999fa0 100644
--- a/docs/installation/docker.md
+++ b/docs/installation/docker.md
@@ -41,8 +41,6 @@ Example:
 docker run -v /etc/dovecot-config:/etc/dovecot/conf.d:ro -v /srv/vmail:/srv/vmail -p 143:31143 -p 993:31993 dovecot/dovecot:latest
 ```
 
-Dovecot uses TLS certificates from `/etc/dovecot/ssl` directory. The full chain certificate name is expected to be `tls.crt`, and key file `tls.key`.
-
 POP3 service is not enabled by default, if you need pop3, place a pop3.conf drop-in to conf.d:
 
 ```
@@ -53,6 +51,26 @@ protocols {
 
 By default imap, submission, lmtp and sieve protocols are enabled.
 
+### Authentication
+
+The default auth configuration is in conf.d/auth.conf, which has
+```
+passdb static {
+  password = $ENV:USER_PASSWORD
+}
+```
+
+This is useful only for testing purposes and single-user instances. To configure multiple users or other authentication methods, you need to override this file.
+
+### TLS configuration
+
+Default certificate is expected at `/etc/dovecot/ssl/tls.crt` and key at `/etc/dovecot/ssl/tls.key`. You can override `conf.d/ssl.conf` to change this.
+
+### Complex configuration
+
+You can also override the entire `/etc/dovecot/dovecot.conf` file, just make sure you include `/etc/dovecot/vendor.d/rootless.conf` in your configuration either
+direcly, or via include. This is not needed if you use the `-root` variant image.
+
 ## Listening ports
 
 Since v2.4.1 ports are exposed as non-privileged ports. You need to map these
@@ -65,7 +83,7 @@ to the ports that you need.
 | imap        | 31143 |
 | imaps       | 31993 |
 | pop3        | 31110 |
-| pop3s       | 31990 |
+| pop3s       | 31995 |
 | submissions | 31465 |
 | submission  | 31587 |
 | lmtps       | 31024 |
@@ -81,12 +99,12 @@ To run the system fully read-only, use:
 docker run --read-only --tmpfs /tmp --tmpfs /run/dovecot -v /srv/vmail:/srv/vmail --rm -it dovecot/dovecot:latest
 ```
 
-Dovecot will need write permissions to `/tmp`, `/run` and persistent mail storage at `/srv/vmail`.
+Dovecot will need write permissions to `/tmp`, `/run/dovecot` and persistent mail storage at `/srv/vmail`.
 
 ## Running without Linux capabilities
 
 By default, Dovecot needs `CAP_SYS_CHROOT` capability. To remove this requirements, you can prevent chrooting
-by placing no-chroot.conf to drop-in directory:
+by placing no-chroot.conf to `conf.d` directory:
 
 ```
 service submission-login {