diff --git a/dovecot/tasks/main.yml b/dovecot/tasks/main.yml
index 6182ae10d17c5d754bc94f3d8dfb3ea40b68f753..85f52d9ec5154566f10689e1511863349808ea13 100644
--- a/dovecot/tasks/main.yml
+++ b/dovecot/tasks/main.yml
@@ -51,7 +51,7 @@
   template:
     src: "sieve/{{ item }}.j2"
     dest: "/var/lib/dovecot/sieve.d/{{ item }}"
-    mode: '0550'
+    mode: '0640'
     owner: dovecot
     group: "{{ dovecot_users_group }}"
   with_items:
@@ -66,6 +66,25 @@
     - spamassassin
     - mail
 
+- meta: flush_handlers
+
+- name: ensure the global spam filter and learning sieve script have correct permissions
+  file:
+    state: present
+    path: "/var/lib/dovecot/sieve.d/{{ item }}"
+    mode: '0640'
+    owner: dovecot
+    group: "{{ dovecot_users_group }}"
+  with_items:
+    - filter-spam.svbin
+    - report-spam.svbin
+    - report-ham.svbin
+  when: dovecot_content_filter
+  tags:
+    - dovecot
+    - spamassassin
+    - mail
+
 - name: ensure scripts for learning spam are present
   copy:
     src: "{{ item }}"