Bug#1107903: fail2ban: Fail2ban 1.1.0-8's filter does not match logs from dovecot 1:2.4.1+dfsg1-4

Mon, 19 Jan 2026 13:49:25 -0800

Thanks LEdoian,  The change from PR 4016 was what I was looking for. With this fail2ban is detecting dovecot logins again on this version. 

--

Met vriendelijke groet / Regards,

Herman van Rink
Initfour websolutions

On Tue, 17 Jun 2025 04:59:29 +0000 LEdoian <[email protected]> wrote:

> Package: fail2ban
> Version: 1.1.0-8
> Severity: normal
> Tags: upstream
>
> Dear Maintainer,
>
> Dovecot seems to have changed the logging format between versions 2.3.x
> and 2.4.x, rendering the current filter for dovecot logs included with
> fail2ban ineffective. The new format on my server is:
>
> Jun 17 03:43:20 auth-worker(randomuser,2001:db8::42)<2104468><wXBHULw37oQgAQcYHgMIAQAAAAAAAAAQ>: request [31]: Info: pam: pam_authenticate() failed: Authentication failure (Password mismatch?) > Jun 17 03:43:22 imap-login: Info: Login aborted: Connection closed (auth failed, 1 attempts in 2 secs) (auth_failed): user=<randomuser>, method=PLAIN, rip=2001:db8::42, lip=2001:db8:10::ca1, TLS: Connection closed, session=<wXBHULw37oQgAQcYHgMIAQAAAAAAAAAQ> 
>
> The upstream has recently included support for the new formatin
> <https://github.com/fail2ban/fail2ban/pull/4016> and according to
> fail2ban-regex the new version matches the latter line correctly, which
> is sufficient.
>
> The result is that attacks on IMAP passwords don't get mitigated by fail2ban. 
>
> Best regards,
> LEdoian
>
> -- System Information:
> Debian Release: 13.0
> APT prefers testing-security
> APT policy: (500, 'testing-security'), (500, 'testing')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 6.12.21-cloud-amd64 (SMP w/1 CPU thread; PREEMPT)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to C.UTF-8), LANGUAGE=en_US:en 
> Shell: /bin/sh linked to /usr/bin/dash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled
>
> Versions of packages fail2ban depends on:
> ii python3 3.13.3-1
> ii python3-systemd 235-1+b6
>
> Versions of packages fail2ban recommends:
> ii nftables 1.1.2-1
> ii python3-pyinotify 0.9.6-5
> ii python3-setuptools 78.1.1-0.1
> ii whois 5.6.1
>
> Versions of packages fail2ban suggests:
> ii bsd-mailx [mailx] 8.1.2-0.20220412cvs-1
> pn monit <none>
> ii rsyslog [system-log-daemon] 8.2504.0-1
> ii sqlite3 3.46.1-6
>
> -- no debconf information
>
>

--

Met vriendelijke groet / Regards,

Herman van Rink
Initfour websolutions

Reply via email to