diff --git a/ChangeLog b/ChangeLog
index aebfa829..c0b97c85 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -33,6 +33,8 @@ ver. 0.8.12 (2013/12/XX) - things-can-only-get-better
 	  send. This ensures that all data is sent before closing the connection.
   - Removed unnecessary reference to as yet undeclared $jail_name when checking
     a specific jail.
+  - Filter dovecot reordered session and TLS items in regex with wider scope
+    for session characters. Thanks Ivo Truxa. Closes gh-586
 
 - Enhancements:
   - added firewallcmd-ipset action
diff --git a/config/filter.d/dovecot.conf b/config/filter.d/dovecot.conf
index a51ce259..c4ce7d7c 100644
--- a/config/filter.d/dovecot.conf
+++ b/config/filter.d/dovecot.conf
@@ -10,7 +10,7 @@ before = common.conf
 _daemon = (auth|dovecot(-auth)?|auth-worker)
 
 failregex = ^%(__prefix_line)s(pam_unix(\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\S*)?\s*$
-            ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((no auth attempts|auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=<HOST>, lip=(\d{1,3}\.){3}\d{1,3}(, session=<\w+>)?(, TLS( handshaking)?(: Disconnected)?)?\s*$
+            ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((no auth attempts|auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=<HOST>, lip=(\d{1,3}\.){3}\d{1,3}(, TLS( handshaking)?(: Disconnected)?)?(, session=<\S+>)?\s*$
             ^%(__prefix_line)s(Info|dovecot: auth\(default\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$
 
 ignoreregex = 
diff --git a/testcases/files/logs/dovecot b/testcases/files/logs/dovecot
index b9ca50f9..5fe89c56 100644
--- a/testcases/files/logs/dovecot
+++ b/testcases/files/logs/dovecot
@@ -43,8 +43,8 @@ Jul 02 13:49:32 hostname dovecot[442]: dovecot: auth(default): pam(account@MYSER
 Apr 19 05:22:20 vm5 auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=informix rhost=80.255.3.104
 
 
-# failJSON: { "time": "2014-01-13T20:51:05", "match": true , "host": "1.2.3.4" }
+# failJSON: { "time": "2005-01-13T20:51:05", "match": true , "host": "1.2.3.4" }
 Jan 13 20:51:05 valhalla dovecot: pop3-login: Disconnected: Inactivity (auth failed, 1 attempts in 178 secs): user=<ivo>, method=PLAIN, rip=1.2.3.4, lip=1.1.2.2, session=<6brQWt/vCADDhP/+>
-# failJSON: { "time": "2014-01-14T15:54:30", "match": true , "host": "1.2.3.4" }
+# failJSON: { "time": "2005-01-14T15:54:30", "match": true , "host": "1.2.3.4" }
 Jan 14 15:54:30 valhalla dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 2 secs): user=<ivo>, method=PLAIN, rip=1.2.3.4, lip=1.1.2.2, TLS: Disconnected, session=<q454Xu/vMwBZApgg>