diff --git a/config/filter.d/dovecot.conf b/config/filter.d/dovecot.conf
index 51c28af4..dd0e7678 100644
--- a/config/filter.d/dovecot.conf
+++ b/config/filter.d/dovecot.conf
@@ -9,7 +9,7 @@ before = common.conf
 
 [Definition]
 
-_daemon = (dovecot(-auth)?|auth-worker)
+_daemon = (auth|dovecot(-auth)?|auth-worker)
 # Option:  failregex
 # Notes.:  regex to match the password failures messages in the logfile.
 #          first regex is essentially a copy of pam-generic.conf
diff --git a/config/jail.conf b/config/jail.conf
index 594dfc3b..1154cb52 100644
--- a/config/jail.conf
+++ b/config/jail.conf
@@ -472,5 +472,16 @@ filter = webmin-auth
 action = iptables-multiport[name=webmin,port="10000"]
 logpath  = /var/log/auth.log
 
+# dovecot defaults to logging to the mail syslog facility
+# but can be set by syslog_facility in the dovecot configuration.
+[dovecot]
+enabled = false
+filter = dovecot
+action = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps,submission,smtps,sieve", protocol=tcp]
+logpath = /var/log/mail.log
 
-
+[dovecot-auth]
+enabled = false
+filter = dovecot
+action = iptables-multiport[name=dovecot-auth, port="pop3,pop3s,imap,imaps,submission,smtps,sieve", protocol=tcp]
+logpath = /var/log/secure
diff --git a/testcases/files/logs/dovecot b/testcases/files/logs/dovecot
index 733552df..d2aa59ca 100644
--- a/testcases/files/logs/dovecot
+++ b/testcases/files/logs/dovecot
@@ -35,3 +35,7 @@ Jul 02 13:49:32 hostname dovecot[442]: dovecot: auth(default): pam(account@MYSER
 
 # failJSON: { "time": "2013-08-11T03:56:40", "match": true , "host": "1.2.3.4" }
 2013-08-11 03:56:40 auth-worker(default): Info: pam(username,1.2.3.4): pam_authenticate() failed: Authentication failure (password mismatch?)
+
+# failJSON: { "time": "2005-04-19T05:22:20", "match": true , "host": "80.255.3.104" }
+Apr 19 05:22:20 vm5 auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=informix rhost=80.255.3.104
+