diff --git a/target/dovecot/auth-ldap.conf.ext b/target/dovecot/auth-ldap.conf.ext
new file mode 100644
index 00000000..222769aa
--- /dev/null
+++ b/target/dovecot/auth-ldap.conf.ext
@@ -0,0 +1,21 @@
+# NOTE: This is effectively the same default LDAP config shipped by Dovecot
+# The only difference is the addition of the passdb mechanisms field,
+# which restricts what auth mechanisms are supported / expected.
+# This prevents unnecessary auth failure logs triggering Fail2Ban when
+# additional passdb are enabled (OAuth2).
+
+passdb {
+  driver = ldap
+  mechanism = plain login
+
+  # Path for LDAP configuration file, see example-config/dovecot-ldap.conf.ext
+  args = /etc/dovecot/dovecot-ldap.conf.ext
+}
+
+userdb {
+  driver = ldap
+  args = /etc/dovecot/dovecot-ldap.conf.ext
+
+  # Default fields can be used to specify defaults that LDAP may override
+  #default_fields = home=/home/virtual/%u
+}
diff --git a/target/dovecot/auth-oauth2.conf.ext b/target/dovecot/auth-oauth2.conf.ext
index 6096d1e4..99a7986b 100644
--- a/target/dovecot/auth-oauth2.conf.ext
+++ b/target/dovecot/auth-oauth2.conf.ext
@@ -1,5 +1,12 @@
+# Allow clients to use these additional mechanisms:
 auth_mechanisms = $auth_mechanisms oauthbearer xoauth2
 
+# Dovecot docs consider the oauth2 driver as a "success/failure" type PassDB:
+# https://doc.dovecot.org/configuration_manual/authentication/password_databases_passdb/#success-failure-database
+# Which implies it cannot be configured for the non-plaintext SASL mechanisms listed here:
+# https://doc.dovecot.org/configuration_manual/authentication/authentication_mechanisms/#dovecot-supports-the-following-non-plaintext-mechanisms
+# However that is not the case, these mechanisms are still valid to prevent trying other incompatible mechanisms (like `plain`).
+
 passdb {
     driver = oauth2
     mechanisms = xoauth2 oauthbearer
diff --git a/target/dovecot/auth-passwdfile.inc b/target/dovecot/auth-passwdfile.inc
index 6bbf8258..38be4e5f 100644
--- a/target/dovecot/auth-passwdfile.inc
+++ b/target/dovecot/auth-passwdfile.inc
@@ -9,6 +9,7 @@
 
 passdb {
   driver = passwd-file
+  mechanisms = plain login
   args = scheme=SHA512-CRYPT username_format=%u /etc/dovecot/userdb
 }
 
diff --git a/test/tests/serial/mail_with_oauth2.bats b/test/tests/serial/mail_with_oauth2.bats
index 0cc34a01..8da365cb 100644
--- a/test/tests/serial/mail_with_oauth2.bats
+++ b/test/tests/serial/mail_with_oauth2.bats
@@ -75,4 +75,8 @@ function __verify_successful_login() {
   _run_in_container grep 'dovecot:' /var/log/mail.log
   refute_output --partial 'oauth2 failed: Introspection failed'
   assert_output --partial "dovecot: imap-login: Login: user=<user1@localhost.localdomain>, method=${AUTH_METHOD}"
+
+  # If another PassDB is enabled, it should not have been attempted with the XOAUTH2 / OAUTHBEARER mechanisms:
+  # dovecot: auth: passwd-file(john.doe@example.test,127.0.0.1): Password mismatch (SHA1 of given password: d390c1) - trying the next passdb
+  refute_output --partial 'trying the next passdb'
 }