#1107903 fail2ban: Fail2ban 1.1.0-8's filter does not match logs from dovecot 1:2.4.1+dfsg1-4

Package:
fail2ban
Source:
fail2ban
Submitter:
LEdoian
Date:
2026-03-01 19:33:02 UTC
Severity:
normal
Tags:
#1107903#5
Date:
2025-06-17 04:59:29 UTC
From:
To:
Dear Maintainer,

Dovecot seems to have changed the logging format between versions 2.3.x
and 2.4.x, rendering the current filter for dovecot logs included with
fail2ban ineffective. The new format on my server is:

Jun 17 03:43:20 auth-worker(randomuser,2001:db8::42)<2104468><wXBHULw37oQgAQcYHgMIAQAAAAAAAAAQ>: request [31]: Info: pam: pam_authenticate() failed: Authentication failure (Password mismatch?)
Jun 17 03:43:22 imap-login: Info: Login aborted: Connection closed (auth failed, 1 attempts in 2 secs) (auth_failed): user=<randomuser>, method=PLAIN, rip=2001:db8::42, lip=2001:db8:10::ca1, TLS: Connection closed, session=<wXBHULw37oQgAQcYHgMIAQAAAAAAAAAQ>

The upstream has recently included support for the new formatin
<https://github.com/fail2ban/fail2ban/pull/4016> and according to
fail2ban-regex the new version matches the latter line correctly, which
is sufficient.

The result is that attacks on IMAP passwords don't get mitigated by fail2ban.

Best regards,
LEdoian

#1107903#10
Date:
2026-01-19 21:37:21 UTC
From:
To:
Thanks LEdoian,  The change from PR 4016 was what I was looking for.
With this fail2ban is detecting dovecot logins again on this version.

#1107903#15
Date:
2026-03-01 19:26:34 UTC
From:
To:
Hello,

I can confirm that patching
/etc/fail2ban/filter.d/dovecot.conf
with the changes from the PR works fine.