Dovecot can be setup to run as a virtual user, for example 'vmail'.
Sieve scripts are then run with the UID of root but the EUID of
the vmail user. GnuPG will not run if the EUID does not match the
UID as a measure to prevent the system letting it keep root privs.
http://lists.gnupg.org/pipermail/gnupg-users/2006-August/029109.html