diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0ead51f5..5564d8aa 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -109,6 +109,7 @@ The most noteworthy change of this release is the update of the container's base
 - Rspamd configuration: Add a missing comma in `local_networks` so that all internal IP addresses are actually considered as internal ([#3862](https://github.com/docker-mailserver/docker-mailserver/pull/3862))
 - Ensure correct SELinux security context labels for files and directories moved to the mail-state volume during setup ([#3890](https://github.com/docker-mailserver/docker-mailserver/pull/3890))
 - Use correct environment variable for fetchmail ([#3901](https://github.com/docker-mailserver/docker-mailserver/pull/3901))
+- When using `ENABLE_GETMAIL=1` the undocumented internal location `/var/lib/getmail/` usage has been removed. Only the config volume `/tmp/docker-mailserver/getmail/` location is supported when Getmail has not been configured to deliver mail to Dovecot as advised in the DMS docs ([#4018](https://github.com/docker-mailserver/docker-mailserver/pull/4018))
 - Dovecot dummy accounts (_virtual alias workaround for dovecot feature `ENABLE_QUOTAS=1`_) now correctly matches the home location of the user for that alias ([#3997](https://github.com/docker-mailserver/docker-mailserver/pull/3997))
 
 ## [v13.3.1](https://github.com/docker-mailserver/docker-mailserver/releases/tag/v13.3.1)
diff --git a/target/bin/debug-fetchmail b/target/bin/debug-fetchmail
index 7e267184..87d30e2b 100755
--- a/target/bin/debug-fetchmail
+++ b/target/bin/debug-fetchmail
@@ -5,6 +5,12 @@ source /usr/local/bin/helpers/log.sh
 # shellcheck source=../scripts/startup/setup.d/fetchmail.sh
 source /usr/local/bin/setup.d/fetchmail.sh
 
+# TODO: This should probably not implicitly enable the feature.
+# The setup method will feature gate and output a debug log if
+# the feature is not enabled.
+#
+# Dropping the ENV here will require updating legacy test:
+# test/tests/parallel/set3/scripts/setup_cli.bats
 ENABLE_FETCHMAIL=1 _setup_fetchmail
 
 su -s /bin/sh -c "/usr/bin/fetchmail \
diff --git a/target/bin/debug-getmail b/target/bin/debug-getmail
index 27834475..60270215 100644
--- a/target/bin/debug-getmail
+++ b/target/bin/debug-getmail
@@ -7,13 +7,7 @@ source /usr/local/bin/setup.d/getmail.sh
 
 _setup_getmail
 
-if [[ -d /var/lib/getmail ]]; then
-  GETMAILDIR=/var/lib/getmail
-else
-  mkdir -p /tmp/docker-mailserver/getmail
-  GETMAILDIR=/tmp/docker-mailserver/getmail
-fi
-
+GETMAILDIR=/tmp/docker-mailserver/getmail
 for FILE in /etc/getmailrc.d/getmailrc*; do
   getmail --getmaildir "${GETMAILDIR}" --rcfile "${FILE}" --dump | tail -n +6
 done
diff --git a/target/bin/getmail-cron b/target/bin/getmail-cron
index 8e1e4749..fec03906 100644
--- a/target/bin/getmail-cron
+++ b/target/bin/getmail-cron
@@ -1,7 +1,8 @@
 #! /bin/bash
 
+GETMAILDIR=/tmp/docker-mailserver/getmail
 for FILE in /etc/getmailrc.d/getmailrc*; do
   if ! pgrep -f "${FILE}$" &>/dev/null; then
-    getmail --getmaildir /var/lib/getmail --rcfile "${FILE}"
+    getmail --getmaildir "${GETMAILDIR}" --rcfile "${FILE}"
   fi
 done
diff --git a/target/scripts/startup/setup.d/getmail.sh b/target/scripts/startup/setup.d/getmail.sh
index 6f280118..c1345063 100644
--- a/target/scripts/startup/setup.d/getmail.sh
+++ b/target/scripts/startup/setup.d/getmail.sh
@@ -31,6 +31,11 @@ function _setup_getmail() {
 EOF
       chmod -R 600 "${GETMAILRC}"
     fi
+
+    # Both the debug command and cron job (that runs getmail) for getmail
+    # expect this location to exist.
+    GETMAILDIR=/tmp/docker-mailserver/getmail
+    mkdir -p "${GETMAILDIR}"
   else
     _log 'debug' 'Getmail is disabled'
   fi
diff --git a/target/scripts/startup/setup.d/mail_state.sh b/target/scripts/startup/setup.d/mail_state.sh
index 5acf6762..de15ee3b 100644
--- a/target/scripts/startup/setup.d/mail_state.sh
+++ b/target/scripts/startup/setup.d/mail_state.sh
@@ -23,7 +23,6 @@ function _setup_save_states() {
     [[ ${ENABLE_CLAMAV}       -eq 1 ]] && SERVICEDIRS+=('lib/clamav')
     [[ ${ENABLE_FAIL2BAN}     -eq 1 ]] && SERVICEDIRS+=('lib/fail2ban')
     [[ ${ENABLE_FETCHMAIL}    -eq 1 ]] && SERVICEDIRS+=('lib/fetchmail')
-    [[ ${ENABLE_GETMAIL}      -eq 1 ]] && SERVICEDIRS+=('lib/getmail')
     [[ ${ENABLE_MTA_STS}      -eq 1 ]] && SERVICEDIRS+=('lib/mta-sts')
     [[ ${ENABLE_POSTGREY}     -eq 1 ]] && SERVICEDIRS+=('lib/postgrey')
     [[ ${ENABLE_RSPAMD}       -eq 1 ]] && SERVICEDIRS+=('lib/rspamd')
@@ -70,11 +69,13 @@ function _setup_save_states() {
         rm -rf "${SERVICEDIR}"
       elif [[ -d ${SERVICEDIR} ]]; then
         _log 'trace' "Moving contents of ${SERVICEDIR} to ${DEST}"
-        # Empty volume was mounted, or new content from enabling a feature ENV:
+        # An empty volume was mounted, or new content dir now exists from enabling a feature ENV:
         mv "${SERVICEDIR}" "${DEST}"
         # Apply SELinux security context to match the state directory, so access
         # is not restricted to the current running container:
         chcon -R --reference="${STATEDIR}" "${DEST}" 2>/dev/null || true
+      else
+        _log 'error' "${SERVICEDIR} should exist but is missing"
       fi
 
       # Symlink the original path in the container ($SERVICEDIR) to be