ENH: Improve cyrus-imap regex and add extra sample line

config/filter.d/cyrus-imap.conf

@@ -22,9 +22,8 @@ _daemon = (?:cyrus/)?(?:imapd?|pop3d?)
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
 #
-failregex = ^%(__prefix_line)sbadlogin: \S+ \[<HOST>\] (?:plaintext|LOGIN) .* \[?SASL\(-13\): authentication failure: checkpass failed\]?$
+failregex = ^%(__prefix_line)sbadlogin: \S+ ?\[<HOST>\] (?:plaintext|PLAIN|LOGIN) .* \[?SASL\(-13\): authentication failure: checkpass failed\]?$
-	    ^%(__prefix_line)sbadlogin: \S+ \[<HOST>\] (?:CRAM-MD5|NTLM) \[SASL\(-13\): authentication failure: incorrect (?:digest|NTLM) response\]$
+	    ^%(__prefix_line)sbadlogin: \S+ ?\[<HOST>\] (?:(?:CRAM|DIGEST)-MD5|NTLM|OTP) \[SASL\(-13\): authentication failure: .*\]$
-	    ^%(__prefix_line)sbadlogin: \S+ \[<HOST>\] DIGEST-MD5 \[SASL\(-13\): authentication failure: client response doesn't match what we generated\]$
 
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.

testcases/files/logs/cyrus-imap

@@ -8,3 +8,6 @@ Feb 20 17:23:32 cyrus/pop3[4297]: badlogin: example.com [1.2.3.4] plaintext mail
 Jun 8 18:11:13 lampserver imap[4480]: badlogin: example.com [198.51.100.45] DIGEST-MD5 [SASL(-13): authentication failure: client response doesn't match what we generated]
 # failJSON: { "time": "2004-12-21T10:01:57", "match": true , "host": "198.51.100.57" }
 Dec 21 10:01:57 hostname imapd[18454]: badlogin: example.com [198.51.100.57] CRAM-MD5 [SASL(-13): authentication failure: incorrect digest response]
+# failJSON: { "time": "2004-12-30T16:03:27", "match": true , "host": "1.2.3.4" }
+Dec 30 16:03:27 somehost imapd[2517]: badlogin: local-somehost[1.2.3.4] OTP [SASL(-13): authentication failure: External SSF not good enough]
+