diff --git a/rootfs/etc/confd/conf.d/dovecot-oauth2.plain.conf.ext.toml b/rootfs/etc/confd/conf.d/dovecot-oauth2.plain.conf.ext.toml
new file mode 100644
index 0000000..f53fbd8
--- /dev/null
+++ b/rootfs/etc/confd/conf.d/dovecot-oauth2.plain.conf.ext.toml
@@ -0,0 +1,3 @@
+[template]
+src = "dovecot-oauth2.plain.conf.ext.tmpl"
+dest = "/etc/dovecot/dovecot-oauth2.plain.conf.ext"
diff --git a/rootfs/etc/confd/conf.d/dovecot-oauth2.token.conf.ext.toml b/rootfs/etc/confd/conf.d/dovecot-oauth2.token.conf.ext.toml
new file mode 100644
index 0000000..e657a67
--- /dev/null
+++ b/rootfs/etc/confd/conf.d/dovecot-oauth2.token.conf.ext.toml
@@ -0,0 +1,3 @@
+[template]
+src = "dovecot-oauth2.token.conf.ext.tmpl"
+dest = "/etc/dovecot/dovecot-oauth2.token.conf.ext"
diff --git a/rootfs/etc/confd/templates/dovecot-oauth2.plain.conf.ext.tmpl b/rootfs/etc/confd/templates/dovecot-oauth2.plain.conf.ext.tmpl
new file mode 100644
index 0000000..0097744
--- /dev/null
+++ b/rootfs/etc/confd/templates/dovecot-oauth2.plain.conf.ext.tmpl
@@ -0,0 +1,10 @@
+grant_url = {{ getenv "GRANT_URL" }}
+client_id = {{ getenv "CLIENT_ID" }}
+client_secret = {{ getenv "CLIENT_SECRET" }}
+introspection_url = {{ getenv "INTROSPECTION_URL" }}
+introspection_mode = {{ getenv "INTROSPECTION_MODE" "post" }}
+username_attribute = username
+tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
+use_grant_password = yes
+pass_attrs = host=127.0.0.1 proxy=y proxy_mech=xoauth2 pass=%{oauth2:access_token}
+debug = yes
diff --git a/rootfs/etc/confd/templates/dovecot-oauth2.token.conf.ext.tmpl b/rootfs/etc/confd/templates/dovecot-oauth2.token.conf.ext.tmpl
new file mode 100644
index 0000000..ab3da63
--- /dev/null
+++ b/rootfs/etc/confd/templates/dovecot-oauth2.token.conf.ext.tmpl
@@ -0,0 +1,11 @@
+grant_url = {{ getenv "GRANT_URL" }}
+client_id = {{ getenv "CLIENT_ID" }}
+client_secret = {{ getenv "CLIENT_SECRET" }}
+tokeninfo_url = {{ getenv "TOKENINFO_URL" }}
+introspection_url = {{ getenv "INTROSPECTION_URL" }}
+introspection_mode = {{ getenv "INTROSPECTION_MODE" "post" }}
+username_attribute = username
+tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
+use_grant_password = no
+pass_attrs = pass=%{oauth2:access_token}
+debug = yes