From a11f91b83506289d03c4df2bf3c5ea3cad27f665 Mon Sep 17 00:00:00 2001
From: Steven Hiscocks <steven@hiscocks.me.uk>
Date: Sat, 20 Jul 2013 17:28:28 +0100
Subject: [PATCH] ENH: Improve cyrus-imap regex and add extra sample line

---
 config/filter.d/cyrus-imap.conf | 5 ++---
 testcases/files/logs/cyrus-imap | 3 +++
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/config/filter.d/cyrus-imap.conf b/config/filter.d/cyrus-imap.conf
index ae7bf6bd..b63fad8f 100644
--- a/config/filter.d/cyrus-imap.conf
+++ b/config/filter.d/cyrus-imap.conf
@@ -22,9 +22,8 @@ _daemon = (?:cyrus/)?(?:imapd?|pop3d?)
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
 #
-failregex = ^%(__prefix_line)sbadlogin: \S+ \[<HOST>\] (?:plaintext|LOGIN) .* \[?SASL\(-13\): authentication failure: checkpass failed\]?$
-	    ^%(__prefix_line)sbadlogin: \S+ \[<HOST>\] (?:CRAM-MD5|NTLM) \[SASL\(-13\): authentication failure: incorrect (?:digest|NTLM) response\]$
-	    ^%(__prefix_line)sbadlogin: \S+ \[<HOST>\] DIGEST-MD5 \[SASL\(-13\): authentication failure: client response doesn't match what we generated\]$
+failregex = ^%(__prefix_line)sbadlogin: \S+ ?\[<HOST>\] (?:plaintext|PLAIN|LOGIN) .* \[?SASL\(-13\): authentication failure: checkpass failed\]?$
+	    ^%(__prefix_line)sbadlogin: \S+ ?\[<HOST>\] (?:(?:CRAM|DIGEST)-MD5|NTLM|OTP) \[SASL\(-13\): authentication failure: .*\]$
 
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
diff --git a/testcases/files/logs/cyrus-imap b/testcases/files/logs/cyrus-imap
index 5886938e..9bf271f6 100644
--- a/testcases/files/logs/cyrus-imap
+++ b/testcases/files/logs/cyrus-imap
@@ -8,3 +8,6 @@ Feb 20 17:23:32 cyrus/pop3[4297]: badlogin: example.com [1.2.3.4] plaintext mail
 Jun 8 18:11:13 lampserver imap[4480]: badlogin: example.com [198.51.100.45] DIGEST-MD5 [SASL(-13): authentication failure: client response doesn't match what we generated]
 # failJSON: { "time": "2004-12-21T10:01:57", "match": true , "host": "198.51.100.57" }
 Dec 21 10:01:57 hostname imapd[18454]: badlogin: example.com [198.51.100.57] CRAM-MD5 [SASL(-13): authentication failure: incorrect digest response]
+# failJSON: { "time": "2004-12-30T16:03:27", "match": true , "host": "1.2.3.4" }
+Dec 30 16:03:27 somehost imapd[2517]: badlogin: local-somehost[1.2.3.4] OTP [SASL(-13): authentication failure: External SSF not good enough]
+