diff --git a/modules/mailserver.nix b/modules/mailserver.nix
index 159efcd..f384d7d 100644
--- a/modules/mailserver.nix
+++ b/modules/mailserver.nix
@@ -303,6 +303,8 @@ in
       {
         enable = true;
 
+        modules = with pkgs; [ dovecot_pigeonhole ];
+
         enableLmtp = true;
         enablePAM = false;
 
@@ -313,6 +315,20 @@ in
         sslServerCert = "${certDir}/fullchain.pem";
         sslServerKey = "${certDir}/key.pem";
 
+        mailboxes = {
+          Spam = { specialUse = "Junk"; auto = "subscribe"; };
+        };
+
+        sieveScripts = {
+          before = pkgs.writeText "spam.sieve" ''
+            require "fileinto";
+
+            if header :is "X-Spam" "Yes" {
+                fileinto "Spam";
+            }
+          '';
+        };
+
         extraConfig = ''
           # generated 2021-02-04, Mozilla Guideline v5.6, Dovecot 2.3.13, OpenSSL 1.1.1i, intermediate configuration
           # https://ssl-config.mozilla.org/#server=dovecot&version=2.3.13&config=intermediate&openssl=1.1.1i&guideline=5.6
@@ -321,6 +337,14 @@ in
           ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
           ssl_prefer_server_ciphers = no
 
+          protocol imap {
+            mail_plugins = $mail_plugins imap_sieve
+          }
+
+          protocol lmtp {
+            mail_plugins = $mail_plugins sieve
+          }
+
           service imap-login {
             inet_listener imap {
             }
@@ -354,8 +378,52 @@ in
 
           lda_mailbox_autosubscribe = yes
           lda_mailbox_autocreate = yes
+
+          plugin {
+            sieve_plugins = sieve_imapsieve sieve_extprograms
+
+            ${lib.optionalString cfg.spam.enable ''
+            imapsieve_mailbox1_name = Spam
+            imapsieve_mailbox1_causes = COPY
+            imapsieve_mailbox1_before = file:/var/lib/dovecot/sieve/learn-spam.sieve
+
+            imapsieve_mailbox2_name = *
+            imapsieve_mailbox2_from = Spam
+            imapsieve_mailbox2_causes = COPY
+            imapsieve_mailbox2_before = file:/var/lib/dovecot/sieve/learn-ham.sieve
+            sieve_pipe_bin_dir = ${pkgs.symlinkJoin { name = "sieve-pipe-bin-dir"; paths = with pkgs; [ rspamd ]; } }/bin
+            ''}
+
+            sieve_global_extensions = +vnd.dovecot.pipe
+          }
         '';
       };
+    systemd.services.dovecot2.preStart = lib.mkIf cfg.spam.enable
+      (lib.mkAfter
+        (lib.concatStrings
+          (lib.mapAttrsToList
+            (name: content: ''
+              cp ${pkgs.writeText name content} /var/lib/dovecot/sieve/${name}
+            '')
+            {
+              "learn-spam.sieve" = ''
+                require ["vnd.dovecot.pipe", "copy", "imapsieve"];
+                pipe :copy "rspamc" ["learn_spam"];
+              '';
+              "learn-ham.sieve" = ''
+                require ["vnd.dovecot.pipe", "copy", "imapsieve", "environment", "variables"];
+
+                if environment :matches "imap.mailbox" "*" {
+                    set "mailbox" "''${1}";
+                }
+
+                if string "''${mailbox}" "Trash" {
+                    stop;
+                }
+
+                pipe :copy "rspamc" ["learn_ham"];
+              '';
+            })));
 
     # DNS (recursor for DNSBLs etc.)
     services.resolved.enable = false;