A new K9 Mail client gets banned all the time and I am trying to work
out why. 

I have this regex: 

failregex = auth:.+dovecot:auth.+authentication\s+failure;.+rhost=<HOST>

            dovecot:.+rip=<HOST>.+wrong version number 
            dovecot:.+tried to use disallowed plaintext auth.+rip=<HOST>

            dovecot:.+auth failed.+rip=<HOST> 
            dovecot:.+no auth attemps.+rip=<HOST> 

The mail.log has lines like these. The last line spams the log several
times a second. 

Jul 11 06:03:12 mx10 dovecot: imap-login: Login:>,
method=PLAIN, rip=, lip=, mpid=17126, TLS,
TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits) 

Jul 11 06:23:07 mx10 dovecot: imap( Connection
closed (IDLE running for 0.001 + waiting input for 688.172 secs, 2 B in
+ 10+0 B out, state=wait-input) in=179 out=1726 

So I tested the regex and had 11 hits - Unsure how to show those matched

# fail2ban-regex /var/log/mail.log.1 `pwd`/filter.d/dovecot.conf -r

Running tests

Use failregex filter file : dovecot, basedir: /etc/fail2ban
Use log file : /var/log/mail.log.1
Use encoding : UTF-8


Failregex: 11 total
|- #) [# of hits] regular expression
| 4) [11] dovecot:.+auth failed.+rip=<HOST>

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
| [6128] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?:

Lines: 6128 lines, 0 ignored, 11 matched, 6117 missed
[processed in 0.77 sec]

Missed line(s): too many to print. Use --print-all-missed to print all
6117 lines 

For the timebeing I have set the IPs in the ignoreip regex.   

I've not seen the dovecot message " Connection closed (IDLE running for
0.001 + waiting input for"  before. I don't know what it means, but the
logs sometimes get spammed by it from K9 Mail. 

Has anyone seen this afore? 

Best, Sophie
Check out the vibrant tech community on one of the world's most
engaging tech sites,!
Fail2ban-users mailing list

Reply via email to