[Dovecot] Fail2Ban and the Dovecot log

Bill Landry bill at inetmsg.com
Mon May 11 23:06:20 EEST 2009


Lou Duchez wrote:

> Is there any way to disable the "dovecot: " at the beginning of each
> line of the log?  Fail2Ban responds poorly to it.  I know there are a
> number of sites with "failregex" strings for Fail2Ban and Dovecot, but
> I've tried them all, and they don't work, at least with the latest
> Fail2ban and the latest Dovecot.  The Fail2Ban wiki is pretty clear
> about why there will be a problem:
> 
> "In order for a log line to match your failregex, it actually has to
> match in two parts: the beginning of the line has to match a timestamp
> pattern or regex, and the remainder of the line has to match your
> failregex.".
> 
> So in other words, Fail2Ban expects that each line of the log will start
> with a timestamp.

Hmmm, I'm using:

dovecot --version
1.2.rc3

rpm -q fail2ban
fail2ban-0.8.3-18.fc10.noarch

and this seems to work just fine for me:

   failregex = auth.*passwd.*,<HOST>\).*(unknown user|Password mismatch)

in my /etc/fail2ban/filter.d/dovecot.conf.

Bill


More information about the dovecot mailing list