Hm. Those are fair comments I do think I added the LOGIN line because of my specific installation. And there's are fundamental problems with using regular expressions for log parsing.
I hadd also found this write up with a similar patch to what I'd proposed. https://systemadminspro.com/fail2ban-and-exim-on-ubuntu/ I think the problem with the %(pid)s optional pattern is that it leaves a unneeded space in the pattern. from https://salsa.debian.org/python-team/packages/fail2ban/-/blob/master/config/filter.d/exim.conf#L24 the pattern "^%(pid)s SMTP protocol error in ..." Wont match "2021-10-24 00:28:54 SMTP protocol error in "AUTH LOGIN" H=(User) ... because after stripping off the timestamp we're left with the pattern "SMTP protocol..." not being able to match "^ SMTP protocol..." Maybe it'd work better if filter.d/common.conf:24:__pid_re = (?:\[\d+\]) was instead something like: filter.d/common.conf:24:__pid_re = (?:\[\d+\]) ? Though maybe it needs to be a __pid_re specific to exim? or the exim.conf pattern should allow blank spaces? Something like "^%(pid)s *SMTP protocol..." Diane
