diff --git a/README.md b/README.md
index bde7c50..552c10e 100644
--- a/README.md
+++ b/README.md
@@ -54,6 +54,7 @@ the user accounts.
  * Sieves
     - [x] A simple standard script that moves spam
     - [x] Allow user defined sieve scripts
+    - [x] ManageSieve support
  * User Aliases
     - [x] Regular aliases
     - [x] Catch all aliases
@@ -179,6 +180,9 @@ common ones.
     enableImapSsl = true;
     enablePop3Ssl = true;
 
+    # Enable the ManageSieve protocol
+    enableManageSieve = true;
+
     # whether to scan inbound emails for viruses (note that this requires at least
     # 1 Gb RAM for the server. Without virus scanning 256 MB RAM should be plenty)
     virusScanning = false;
diff --git a/default.nix b/default.nix
index 5854226..04fd9d6 100644
--- a/default.nix
+++ b/default.nix
@@ -280,6 +280,18 @@ in
       '';
     };
 
+    enableManageSieve = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        Whether to enable ManageSieve, setting this option to true will open
+        port 4190 in the firewall.
+
+        The ManageSieve protocol allows users to manage their Sieve scripts on
+        a remote server with a supported client, including Thunderbird.
+      '';
+    };
+
     virusScanning = mkOption {
       type = types.bool;
       default = false;
diff --git a/mail-server/dovecot.nix b/mail-server/dovecot.nix
index 89249b5..807a708 100644
--- a/mail-server/dovecot.nix
+++ b/mail-server/dovecot.nix
@@ -41,7 +41,7 @@ in
       protocols = [ "sieve" ];
 
       sieveScripts = {
-        before = builtins.toFile "spam.sieve" ''
+        after = builtins.toFile "spam.sieve" ''
           require "fileinto";
 
           if header :is "X-Spam" "Yes" {
@@ -109,7 +109,9 @@ in
         }
 
         plugin {
-          sieve = file:/var/sieve/%u.sieve
+          sieve = file:/var/sieve/%u/scripts;active=/var/sieve/%u/active.sieve
+          sieve_default = file:/var/sieve/%u/default.sieve
+          sieve_default_name = default
         }
 
         lda_mailbox_autosubscribe = yes
diff --git a/mail-server/networking.nix b/mail-server/networking.nix
index c224b0a..20fa34f 100644
--- a/mail-server/networking.nix
+++ b/mail-server/networking.nix
@@ -28,6 +28,7 @@ in
         ++ lib.optional enableImapSsl 993
         ++ lib.optional enablePop3 110
         ++ lib.optional enablePop3Ssl 995
+        ++ lib.optional enableManageSieve 4190
         ++ lib.optional (certificateScheme == 3) 80;
     };
   };
diff --git a/mail-server/users.nix b/mail-server/users.nix
index 9484882..a8cda32 100644
--- a/mail-server/users.nix
+++ b/mail-server/users.nix
@@ -55,16 +55,21 @@ let
     # is null, remove the file.
     ${lib.concatMapStringsSep "\n" ({ name, sieveScript }:
       if lib.isString sieveScript then ''
-        cat << EOF > "/var/sieve/${name}.sieve"
+        if (! test -d "/var/sieve/${name}"); then
+          mkdir -p "/var/sieve/${name}"
+          chown "${name}:${vmailGroupName}" "/var/sieve/${name}"
+          chmod 770 "/var/sieve/${name}"
+        fi
+        cat << EOF > "/var/sieve/${name}/default.sieve"
         ${sieveScript}
         EOF
-        chown "${name}:${vmailGroupName}" "/var/sieve/${name}.sieve"
+        chown "${name}:${vmailGroupName}" "/var/sieve/${name}/default.sieve"
       '' else ''
-        if (test -f "/var/sieve/${name}.sieve"); then
-          rm "/var/sieve/${name}.sieve"
+        if (test -f "/var/sieve/${name}/default.sieve"); then
+          rm "/var/sieve/${name}/default.sieve"
         fi
         if (test -f "/var/sieve/${name}.svbin"); then
-          rm "/var/sieve/${name}.svbin"
+          rm "/var/sieve/${name}/default.svbin"
         fi
       '') (map (user: { inherit (user) name sieveScript; })
             (lib.attrValues loginAccounts))}