From cde389cadc8473c14b17b927bdaa3a85704d2d84 Mon Sep 17 00:00:00 2001
From: Daniel Black <grooverdan@users.sourceforge.net>
Date: Tue, 29 Oct 2013 10:15:54 +1100
Subject: [PATCH] ENH: additional tweek to dovecot regex based on
 http://chrisgilligan.com/portfolio/fail2ban-regex/

---
 config/filter.d/dovecot.conf | 2 +-
 testcases/files/logs/dovecot | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/config/filter.d/dovecot.conf b/config/filter.d/dovecot.conf
index 51c28af4..dd0e7678 100644
--- a/config/filter.d/dovecot.conf
+++ b/config/filter.d/dovecot.conf
@@ -9,7 +9,7 @@ before = common.conf
 
 [Definition]
 
-_daemon = (dovecot(-auth)?|auth-worker)
+_daemon = (auth|dovecot(-auth)?|auth-worker)
 # Option:  failregex
 # Notes.:  regex to match the password failures messages in the logfile.
 #          first regex is essentially a copy of pam-generic.conf
diff --git a/testcases/files/logs/dovecot b/testcases/files/logs/dovecot
index 733552df..80313b75 100644
--- a/testcases/files/logs/dovecot
+++ b/testcases/files/logs/dovecot
@@ -35,3 +35,7 @@ Jul 02 13:49:32 hostname dovecot[442]: dovecot: auth(default): pam(account@MYSER
 
 # failJSON: { "time": "2013-08-11T03:56:40", "match": true , "host": "1.2.3.4" }
 2013-08-11 03:56:40 auth-worker(default): Info: pam(username,1.2.3.4): pam_authenticate() failed: Authentication failure (password mismatch?)
+
+# failJSON: { "time": "2005-05-19T05:22:20", "match": true , "host": "80.255.3.104" }
+Apr 19 05:22:20 vm5 auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=informix rhost=80.255.3.104
+