Merge branch 'bf+enh/cyrus-imap' of https://github.com/yarikoptic/fail2ban (with some tune up to Changelog entry)

* 'bf+enh/cyrus-imap' of https://github.com/yarikoptic/fail2ban:
  ENH: cyrus-imap -- catch also 'user not found' attempts
  BF: cyrus-imaps -- catch also for secured daemons

Conflicts:
	ChangeLog

ChangeLog

@@ -44,6 +44,9 @@ ver. 0.9.1 (2014/xx/xx) - better, faster, stronger
    * Pass "bantime" parameter to the actions in default jail's action
      definition(s)
    * filters.d/sieve.conf - fixed typo in _daemon.  Thanks Jisoo Park
+   * cyrus-imap -- also catch also failed logins via secured (imaps/pop3s).
+     Regression was introduced while strengthening failregex in 0.8.11 (bd175f)
+     Debian bug #755173
 
 - New features:
    - Added
@@ -63,6 +66,7 @@ ver. 0.9.1 (2014/xx/xx) - better, faster, stronger
    * Realign fail2ban log output with white space to improve readability. Does
      not affect SYSLOG output
    * Log unhandled exceptions
+   * cyrus-imap: catch "user not found" attempts
 
 ver. 0.9.0 (2014/03/14) - beta
 ----------

THANKS

@@ -82,6 +82,7 @@ onorua
 Paul Marrapese
 Noel Butler
 Patrick Börjesson
+Pressy
 Raphaël Marichez
 RealRancor
 René Berber

config/filter.d/cyrus-imap.conf

@@ -11,9 +11,9 @@ before = common.conf
 
 [Definition]
 
-_daemon = (?:cyrus/)?(?:imapd?|pop3d?)
+_daemon = (?:cyrus/)?(?:imap(d|s)?|pop3(d|s)?)
 
-failregex = ^%(__prefix_line)sbadlogin: \S+ ?\[<HOST>\] \S+ .*?\[?SASL\(-13\): authentication failure: .*\]?$
+failregex = ^%(__prefix_line)sbadlogin: \S+ ?\[<HOST>\] \S+ .*?\[?SASL\(-13\): (authentication failure|user not found): .*\]?$
 
 ignoreregex = 
 

fail2ban/tests/files/logs/cyrus-imap

@@ -1,5 +1,7 @@
 # failJSON: { "time": "2005-01-04T21:51:05", "match": true , "host": "127.0.0.1" }
 Jan 4 21:51:05 hostname cyrus/imap[5355]: badlogin: localhost.localdomain [127.0.0.1] plaintext cyrus@localdomain SASL(-13): authentication failure: checkpass failed
+# failJSON: { "time": "2005-01-04T21:51:05", "match": true , "host": "127.0.0.1", "desc": "For secure imaps" }
+Jan 4 21:51:05 hostname cyrus/imaps[5355]: badlogin: localhost.localdomain [127.0.0.1] plaintext cyrus@localdomain SASL(-13): authentication failure: checkpass failed
 # failJSON: { "time": "2005-02-20T17:23:32", "match": true , "host": "198.51.100.23" }
 Feb 20 17:23:32 domain cyrus/pop3[18635]: badlogin: localhost [198.51.100.23] plaintext administrator SASL(-13): authentication failure: checkpass failed
 # failJSON: { "time": "2005-02-20T17:23:32", "match": true , "host": "1.2.3.4" }
@@ -10,4 +12,7 @@ Jun 8 18:11:13 lampserver imap[4480]: badlogin: example.com [198.51.100.45] DIGE
 Dec 21 10:01:57 hostname imapd[18454]: badlogin: example.com [198.51.100.57] CRAM-MD5 [SASL(-13): authentication failure: incorrect digest response]
 # failJSON: { "time": "2004-12-30T16:03:27", "match": true , "host": "1.2.3.4" }
 Dec 30 16:03:27 somehost imapd[2517]: badlogin: local-somehost[1.2.3.4] OTP [SASL(-13): authentication failure: External SSF not good enough]
-
+# failJSON: { "time": "2005-07-17T22:55:56", "match": true , "host": "1.2.3.4" }
+Jul 17 22:55:56 derry cyrus/imaps[7568]: badlogin: serafinat.xxxxxx [1.2.3.4] plain [SASL(-13): user not found: user: pressy@derry property: cmusaslsecretPLAIN not found in sasldb]
+# failJSON: { "time": "2005-07-18T16:46:42", "match": true , "host": "1.2.3.4" }
+Jul 18 16:46:42 derry cyrus/imaps[27449]: badlogin: serafinat.xxxxxx [1.2.3.4] PLAIN [SASL(-13): user not found: Password verification failed]