Dear Maintainer,
Dovecot seems to have changed the logging format between versions 2.3.x
and 2.4.x, rendering the current filter for dovecot logs included with
fail2ban ineffective. The new format on my server is:
Jun 17 03:43:20 auth-worker(randomuser,2001:db8::42)<2104468><wXBHULw37oQgAQcYHgMIAQAAAAAAAAAQ>: request [31]: Info: pam: pam_authenticate() failed: Authentication failure (Password mismatch?)
Jun 17 03:43:22 imap-login: Info: Login aborted: Connection closed (auth failed, 1 attempts in 2 secs) (auth_failed): user=<randomuser>, method=PLAIN, rip=2001:db8::42, lip=2001:db8:10::ca1, TLS: Connection closed, session=<wXBHULw37oQgAQcYHgMIAQAAAAAAAAAQ>
The upstream has recently included support for the new formatin
<https://github.com/fail2ban/fail2ban/pull/4016> and according to
fail2ban-regex the new version matches the latter line correctly, which
is sufficient.
The result is that attacks on IMAP passwords don't get mitigated by fail2ban.
Best regards,
LEdoian