diff --git a/profiles/apparmor.d/usr.lib.dovecot.anvil b/profiles/apparmor.d/usr.lib.dovecot.anvil
index aba8854e9..5b0fba6b2 100644
--- a/profiles/apparmor.d/usr.lib.dovecot.anvil
+++ b/profiles/apparmor.d/usr.lib.dovecot.anvil
@@ -18,7 +18,10 @@
   capability setuid,
   capability sys_chroot,
 
+  unix (receive, send) type=stream peer=(label=dovecot),
+
   /run/dovecot/anvil rw,
+  /run/dovecot/anvil-auth-penalty rw,
   /usr/lib/dovecot/anvil mr,
 
   # Site-specific additions and overrides. See local/README for details.
diff --git a/profiles/apparmor.d/usr.lib.dovecot.auth b/profiles/apparmor.d/usr.lib.dovecot.auth
index b44441e26..2545ede7f 100644
--- a/profiles/apparmor.d/usr.lib.dovecot.auth
+++ b/profiles/apparmor.d/usr.lib.dovecot.auth
@@ -25,6 +25,7 @@
   capability dac_override,
   capability dac_read_search,
   capability setuid,
+  capability sys_chroot,
 
   /etc/my.cnf r,
   /etc/my.cnf.d/ r,
@@ -32,6 +33,7 @@
 
   /etc/dovecot/* r,
   /usr/lib/dovecot/auth mr,
+  /var/lib/dovecot/auth-chroot/* r,
 
   # kerberos replay cache
   /var/tmp/imap_* rw,
@@ -40,6 +42,7 @@
   /var/tmp/smtp_* rw,
 
   /run/dovecot/auth-master rw,
+  /run/dovecot/auth-userdb rw,
   /run/dovecot/auth-worker rw,
   /run/dovecot/login/login rw,
   /{var/,}run/dovecot/auth-token-secret.dat{,.tmp} rw,
@@ -47,7 +50,7 @@
   /{var/,}run/dovecot/stats-user rw,
   /{var/,}run/dovecot/anvil-auth-penalty rw,
 
-  /var/spool/postfix/private/auth w,
+  /var/spool/postfix/private/auth rw,
 
   # Site-specific additions and overrides. See local/README for details.
   #include <local/usr.lib.dovecot.auth>
diff --git a/profiles/apparmor.d/usr.lib.dovecot.lmtp b/profiles/apparmor.d/usr.lib.dovecot.lmtp
index d30a4cb09..f2b60b8b0 100644
--- a/profiles/apparmor.d/usr.lib.dovecot.lmtp
+++ b/profiles/apparmor.d/usr.lib.dovecot.lmtp
@@ -17,6 +17,7 @@
   #include <abstractions/nameservice>
   #include <abstractions/dovecot-common>
   #include <abstractions/openssl>
+  #include <abstractions/ssl_certs>
   #include <abstractions/ssl_keys>
 
   capability dac_override,
diff --git a/profiles/apparmor.d/usr.sbin.dovecot b/profiles/apparmor.d/usr.sbin.dovecot
index 8f130fe31..309c713df 100644
--- a/profiles/apparmor.d/usr.sbin.dovecot
+++ b/profiles/apparmor.d/usr.sbin.dovecot
@@ -33,6 +33,8 @@
 
   signal send set=(int,quit) peer=/usr/lib/dovecot/*,
 
+  unix (receive, send) type=stream peer=(label=/usr/lib/dovecot/anvil),
+
   /etc/dovecot/** r,
   /etc/mtab r,
   /etc/lsb-release r,