diff --git a/profiles/apparmor.d/usr.lib.dovecot.script-login b/profiles/apparmor.d/usr.lib.dovecot.script-login
new file mode 100644
index 000000000..3b0468957
--- /dev/null
+++ b/profiles/apparmor.d/usr.lib.dovecot.script-login
@@ -0,0 +1,33 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2020 Michael Hirmke
+#    Copyright (C) 2020 Christian Boltz
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+#include <tunables/global>
+
+profile dovecot-script-login /usr/lib/dovecot/script-login {
+  #include <abstractions/base>
+  #include <abstractions/dovecot-common>
+  #include <abstractions/nameservice>
+
+  capability setuid,
+
+  /usr/lib/dovecot/script-login mrPx,
+
+  # NOTE: You'll need to allow execution of your actual login script.
+  # The recommended way is to add a rule for it in local/usr.lib.dovecot.script-login
+  # for example
+  #   /home/vmail/bin/postlogin.sh Px,
+  # and then to create the profile for the script.
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.lib.dovecot.script-login>
+}
+
diff --git a/profiles/apparmor.d/usr.sbin.dovecot b/profiles/apparmor.d/usr.sbin.dovecot
index 3be45032c..ec3296aa7 100644
--- a/profiles/apparmor.d/usr.sbin.dovecot
+++ b/profiles/apparmor.d/usr.sbin.dovecot
@@ -56,6 +56,7 @@ profile dovecot /usr/{bin,sbin}/dovecot flags=(attach_disconnected) {
   /usr/lib/dovecot/managesieve-login Pxmr,
   /usr/lib/dovecot/pop3 mrPx,
   /usr/lib/dovecot/pop3-login Pxmr,
+  /usr/lib/dovecot/script-login Px,
   /usr/lib/dovecot/ssl-build-param rix,
   /usr/lib/dovecot/ssl-params mrPx,
   /usr/lib/dovecot/stats Px,