diff --git a/Dockerfile b/Dockerfile
index 6743f2a1..509d4b1a 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -94,7 +94,6 @@ COPY target/rspamd/local.d/ /etc/rspamd/local.d/
 # --- OAUTH2 ------------------------------------
 # -----------------------------------------------
 
-COPY target/dovecot/dovecot-oauth2.conf.ext /etc/dovecot
 COPY target/dovecot/auth-oauth2.conf.ext /etc/dovecot/conf.d
 
 # -----------------------------------------------
diff --git a/target/dovecot/auth-oauth2.conf.ext b/target/dovecot/auth-oauth2.conf.ext
index 99a7986b..4c490068 100644
--- a/target/dovecot/auth-oauth2.conf.ext
+++ b/target/dovecot/auth-oauth2.conf.ext
@@ -1,14 +1,26 @@
-# Allow clients to use these additional mechanisms:
-auth_mechanisms = $auth_mechanisms oauthbearer xoauth2
-
-# Dovecot docs consider the oauth2 driver as a "success/failure" type PassDB:
-# https://doc.dovecot.org/configuration_manual/authentication/password_databases_passdb/#success-failure-database
-# Which implies it cannot be configured for the non-plaintext SASL mechanisms listed here:
-# https://doc.dovecot.org/configuration_manual/authentication/authentication_mechanisms/#dovecot-supports-the-following-non-plaintext-mechanisms
+# The OAuth2 driver is a so-called "Success/Failure Database".
+# These databases simply verify if the given password is correct
+# for the user. Dovecot doesn't get the correct password from the
+# database, it only gets a success or a failure reply. This means
+# that these databases can't be used with non-cleartext
+# authentication mechanisms.
+#
+# This implies it cannot be configured for the non-plaintext SASL
+# mechanisms listed here: https://doc.dovecot.org/2.4.3/developers/design/auth_process.html#password-databases
+#
+# TODO check if still valid
 # However that is not the case, these mechanisms are still valid to prevent trying other incompatible mechanisms (like `plain`).
+#
+# REF https://doc.dovecot.org/2.4.3/core/config/auth/passdb.html#success-failure-database
+#     https://doc.dovecot.org/2.4.3/core/config/auth/databases/oauth2.html#open-authentication-v2-0-database-oauth2
 
-passdb {
-    driver = oauth2
-    mechanisms = xoauth2 oauthbearer
-    args = /etc/dovecot/dovecot-oauth2.conf.ext
+auth_mechanisms {
+  oauthbearer = yes
+  xoauth2 = yes
+}
+
+oauth2 {
+    introspection_url =
+    introspection_mode = auth
+    username_attribute = email
 }
diff --git a/target/dovecot/dovecot-oauth2.conf.ext b/target/dovecot/dovecot-oauth2.conf.ext
deleted file mode 100644
index 6998ed08..00000000
--- a/target/dovecot/dovecot-oauth2.conf.ext
+++ /dev/null
@@ -1,4 +0,0 @@
-introspection_url =
-# Dovecot defaults:
-introspection_mode = auth
-username_attribute = email
diff --git a/target/scripts/startup/setup.d/oauth2.sh b/target/scripts/startup/setup.d/oauth2.sh
index 20e9ffd1..ad90c7bc 100644
--- a/target/scripts/startup/setup.d/oauth2.sh
+++ b/target/scripts/startup/setup.d/oauth2.sh
@@ -5,7 +5,9 @@ function _setup_oauth2() {
 
   # Enable OAuth2 PassDB (Authentication):
   sedfile -i -e '/\!include auth-oauth2\.conf\.ext/s/^#//' /etc/dovecot/conf.d/10-auth.conf
-  _replace_by_env_in_file 'OAUTH2_' '/etc/dovecot/dovecot-oauth2.conf.ext'
+  sedfile -i -E \
+    "s|( *introspection_url =)|\1 ${OAUTH2_INTROSPECTION_URL}|" \
+    /etc/dovecot/conf.d/auth-oauth2.conf.ext
 
   return 0
 }
diff --git a/test/tests/serial/mail_with_oauth2.bats b/test/tests/serial/mail_with_oauth2.bats
index 968d63ab..a6078a9a 100644
--- a/test/tests/serial/mail_with_oauth2.bats
+++ b/test/tests/serial/mail_with_oauth2.bats
@@ -59,15 +59,6 @@ function teardown_file() {
 }
 
 @test "should authenticate with XOAUTH2" {
-  # curl 7.80.0 (Nov 2021) broke XOAUTH2 support (DMS v14 release with Debian 12 packages curl 7.88.1)
-  # https://github.com/docker-mailserver/docker-mailserver/pull/3403#issuecomment-1907100624
-  #
-  # Fixed in curl 8.6.0 (Jan 31 2024):
-  # - https://github.com/curl/curl/issues/10259
-  # - https://github.com/curl/curl/commit/7b2d98dfadf209108aa7772ee21ae42e3dab219f (referenced in release changelog by commit title)
-  # - https://github.com/curl/curl/releases/tag/curl-8_6_0
-  skip 'unable to test XOAUTH2 mechanism due to bug in curl versions 7.80.0 --> 8.5.0'
-
   __should_login_successfully_with 'XOAUTH2'
 }
 
@@ -117,7 +108,7 @@ function __dovecot_logs_should_verify_success() {
   # Inspect the relevant Dovecot logs to catch failure / success:
   _service_log_should_contain_string 'mail' 'dovecot:'
   refute_output --partial 'oauth2 failed: Introspection failed'
-  assert_output --partial "dovecot: imap-login: Login: user=<${USER_ACCOUNT}>, method=${AUTH_METHOD}"
+  assert_output --partial "dovecot: imap-login: Logged in: user=<${USER_ACCOUNT}>, method=${AUTH_METHOD}"
 
   # If another PassDB is enabled, it should not have been attempted with the XOAUTH2 / OAUTHBEARER mechanisms:
   # dovecot: auth: passwd-file(${USER_ACCOUNT},127.0.0.1): Password mismatch (SHA1 of given password: d390c1) - trying the next passdb