diff --git a/defaults/main.yml b/defaults/main.yml
index ff7fe41..6f4847c 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -27,6 +27,21 @@ mailserver:
   dovecot:
     debug: false
     config: {}
+    # Define shell scripts callable from sieve scripts via vnd.dovecot.execute
+    # Per default, these are only available in global sieve scripts (i.e. not in user scripts)!
+    sieve_extprograms: {} # cmd name -> shell script
+    # Global sieve scripts
+    sieve_after: null
+    sieve_default: null
+    sieve_before: null
+    sieve_mailbox_handlers: {} # See imapsieve_mailboxXXX, list items
+    #  from_elsewhere_to_spam:
+    #    name: Spam
+    #    causes: COPY
+    #    before: |
+    #      require ["vnd.dovecot.pipe", "copy", "imapsieve", "environment", "variables", "imap4flags"];
+    #      addflag "\\Seen";´
+    #      pipe :copy "learn-spam.rspamd.script";
   postfixadmin:
     php_fpm_config:
       user: postfixadmin
diff --git a/tasks/main.yml b/tasks/main.yml
index 55b746d..be2bb74 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -88,6 +88,45 @@
   - dovecot-dict-sql.conf
   notify: restart dovecot
 
+- name: create global sieve directories
+  ansible.builtin.file:
+    state: directory
+    owner: root
+    group: root
+    mode: 0755
+    path: "{{ item }}"
+  loop:
+  - /etc/dovecot/sieve-scripts
+  - /etc/dovecot/sieve-extprograms
+
+- name: copy sieve extprograms
+  ansible.builtin.copy:
+    content: "{{ item.value }}\n"
+    dest: "/etc/dovecot/sieve-extprograms/{{ item.key }}"
+    owner: root
+    group: root
+    mode: "0755"
+  loop: "{{ mailserver.dovecot.sieve_extprograms|dict2items }}"
+
+- name: copy sieve scripts
+  ansible.builtin.copy:
+    content: "{{ item.value }}\n"
+    dest: "/etc/dovecot/sieve-scripts/{{ item.key }}.sieve"
+    owner: root
+    group: root
+    mode: "0644"
+  loop: |
+    {%- set result = {'after': mailserver.dovecot.sieve_after, 'before': mailserver.dovecot.sieve_before, 'default': mailserver.dovecot.sieve_default} -%}
+    {%- for name, handler in mailserver.dovecot.sieve_mailbox_handlers.items() -%}
+    {%- set tmp = result.update(**{'mailbox_'+name+'_before': handler.before|d(none), 'mailbox_'+name+'_after': handler.after|d(none)}) -%}
+    {%- endfor -%}
+    {{ result|dict2items|selectattr('value')|tojson }}
+  register: mailserver_sieve_scripts
+
+- name: compile sieve scripts
+  ansible.builtin.shell: "sievec '{{ item.dest }}'"
+  loop: "{{ mailserver_sieve_scripts.results }}"
+
 # prometheus-postfix-exporter
 - name: configure prometheus postfix exporter
   ansible.builtin.template:
diff --git a/templates/dovecot/dovecot.conf.j2 b/templates/dovecot/dovecot.conf.j2
index 43bc089..0158182 100644
--- a/templates/dovecot/dovecot.conf.j2
+++ b/templates/dovecot/dovecot.conf.j2
@@ -58,8 +58,7 @@ namespace inbox {
 
 # IMAP
 protocol imap {
-  # TODO: imap_quota?
-  mail_plugins = $mail_plugins
+  mail_plugins = $mail_plugins imap_sieve
 }
 
 service imap-login {
@@ -75,6 +74,25 @@ service imap-login {
 # Sieve
 plugin {
   sieve = file:~/sieve;active=~/.dovecot.sieve
+  sieve_plugins = sieve_imapsieve sieve_extprograms
+  sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.execute
+  sieve_pipe_bin_dir = /etc/dovecot/sieve-extprograms
+
+{% for name, handler in mailserver.dovecot.sieve_mailbox_handlers.items() %}
+  # {{ name }}
+  imapsieve_mailbox{{ loop.index }}_name = {{ handler.name }}
+  imapsieve_mailbox{{ loop.index }}_causes = {{ handler.causes }}
+{% if handler.from|d(False) %}
+  imapsieve_mailbox{{ loop.index }}_from = {{ handler.from }}
+{% endif %}
+{% if handler.before|d(False) %}
+  imapsieve_mailbox{{ loop.index }}_before = /etc/dovecot/sieve-scripts/mailbox_{{ name }}_before.sieve
+{% endif %}
+{% if handler.after|d(False) %}
+  imapsieve_mailbox{{ loop.index }}_after = /etc/dovecot/sieve-scripts/mailbox_{{ name }}_after.sieve
+{% endif %}
+{% endfor %}
+
 }
 
 service managesieve-login {