diff --git a/CHANGELOG.md b/CHANGELOG.md
index 11015d18..42f87129 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,6 +10,7 @@ To upgrade replace the `stalwart-mail` binary and then upgrade to the latest web
 - AI-powered Spam filtering and Sieve scripting (Enterprise feature).
 
 ### Changed
+- The untrusted Sieve interpreter now has the `vnd.stalwart.expressions` extension enabled by default. This allows Sieve users to use the `eval` function to evaluate expressions in their scripts. If you would like to disable this extension, you can do so by adding `vnd.stalwart.expressions` to `sieve.untrusted.disabled-capabilities`.
 
 ### Fixed
 - S3-compatible backends: Retry on `5xx` errors.
diff --git a/resources/apparmor.d/stalwart-mail b/resources/apparmor.d/stalwart-mail
new file mode 100644
index 00000000..0c2483be
--- /dev/null
+++ b/resources/apparmor.d/stalwart-mail
@@ -0,0 +1,59 @@
+#include <tunables/global>
+
+profile stalwart-mail flags=(attach_disconnected) {
+  #include <abstractions/base>
+  #include <abstractions/nameservice>
+  #include <abstractions/openssl>
+
+  # Allow network access
+  network inet stream,
+  network inet6 stream,
+  network inet dgram,
+  network inet6 dgram,
+
+  # Outgoing access to port 25 and 443
+  network tcp,
+  network udp,
+  owner /proc/*/net/if_inet6 r,
+  owner /proc/*/net/ipv6_route r,
+
+  # Full write access to /opt/stalwart-mail
+  /opt/stalwart-mail/** rwk,
+
+  # Allow creating directories under /tmp
+  /tmp/ r,
+  /tmp/** rwk,
+
+  # Allow binding to specific ports
+  network inet stream bind port 25,
+  network inet stream bind port 587,
+  network inet stream bind port 465,
+  network inet stream bind port 143,
+  network inet stream bind port 993,
+  network inet stream bind port 110,
+  network inet stream bind port 995,
+  network inet stream bind port 4190,
+  network inet stream bind port 443,
+  network inet stream bind port 8080,
+  network inet6 stream bind port 25,
+  network inet6 stream bind port 587,
+  network inet6 stream bind port 465,
+  network inet6 stream bind port 143,
+  network inet6 stream bind port 993,
+  network inet6 stream bind port 110,
+  network inet6 stream bind port 995,
+  network inet6 stream bind port 4190,
+  network inet6 stream bind port 443,
+  network inet6 stream bind port 8080,
+
+  # Allow UDP port 7911
+  network inet dgram bind port 7911,
+  network inet6 dgram bind port 7911,
+
+  # Basic system access
+  /usr/bin/stalwart-mail rix,
+  /etc/stalwart-mail/** r,
+  /var/log/stalwart-mail/** w,
+
+  # Additional permissions might be needed depending on specific requirements
+}