* tag '0.8.12': (177 commits)
DOC: version and release date to 0.8.12 on 2014-01-22
DOC/ENH: update man pages for release
DOC: ChangeLog dateing and normalisation
ENH: continue with rest of fail2ban config even if errors. Closes gh-585
DOC: ChangeLog. Note incompatible changes and group new filters and actions under New Features
BF: complete MANIFEST
DOC: note in man page about "last message repeated" syslog compression. Closes Debian bug #620364
DOC: credits for action.d/badips
BF: dovecot filters, session characters and order of session/tls in log messages
BF Dovecot auth failures
Matching any Exim authentication name
Update exim
ENH: add improper command pipelining postfix filter
Support ACL-events without AccountID. Typically happens when a registration from an unknown domain is performed.
BF: Add ejabberd-auth to jail.conf
ENH: ejabberd filter
TST: for tag substition, multiple on same line
DOC: spelling + GPL2+ for license
DOC: fixing formatting in the section names of the manpage - \fB to return into bold
DOC: some typos, fixes from Vincent Lefevre
...
I am sorry, I installed the Win GIT, but still did not learn how to work with it, so am posting here again. This time, I'll avoid posting two pull requests, so please fix the dovecot.filter for me, if you don't mind.
This current filter does not match authentication errors in my Dovecot logs (two different lines attached). First of all the session string is at the end (after the optional TLS string), and not before it as it is now in the filter. I don't see it anywhere in the other logs here in the opposite order, hence I assume it is the rule for all installations. And then, the session ID can include also other characters than those matched by \w+ (i.e. the slash and the plus signs in my case), hence it needs to be \S+ instead. Personally, I'd do the regex much less restrictive than it is, but if I follow the current logics, the following form works:
<pre>^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((no auth attempts|auth failed, \d+ attempts)( in \d+ secs)?|tried to use disabled \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=<HO
ST>, lip=(\d{1,3}\.){3}\d{1,3}(, TLS( handshaking)?(: Disconnected)?)?(, session=<\S+>)?\s*$</pre>
As explained in https://github.com/grooverdan/fail2ban/pull/4, in Exim there can be used plenty of other standard authentication names, and in fact the names can be custom. The failregex in Exim filter should catch authentication errors regardless of the name of the authentication. Hence replacing the plain|login with the general \w+
When using Dovecot authentication for Exim, which is relatively common, the current regex for catching authentication failures needs a small tweak. The current plain|login options are too limiting and will only work in the cases when only the Exim's rudimentary built-in authentication is used. There can be not only the dovecot_login shown in this log example, but also dovecot_plain, ntlm, cram, cyrus, md5, and plenty of others. In fact many admins may opt for their own authentication labels, when setting up Exim. For this reason the regex should catch any label. I suggest modifying the regex in the following way:
<pre>^%(pid)s \w+ authenticator failed for (\S+ )?\(\S+\) \[<HOST>\]: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$</pre>
Yaroslav Halchenko