fail2ban/config/filter.d/courier-auth.conf

# Fail2Ban filter for courier authentication failures
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]

_daemon = (?:courier)?(?:imapd?|pop3d?)(?:login)?(?:-ssl)?

failregex = ^%(__prefix_line)sLOGIN FAILED, (?:(?!ip=)(?:user=<F-USER>[^,]*</F-USER>|\w+=[^,]*), )*ip=\[<HOST>\]

ignoreregex = 

datepattern = {^LN-BEG}

# Author: Christoph Haas
# Modified by: Cyril Jaquier