On 29/01/2014 10:51, Daniel Black wrote:

Please tell use the full contents of filter.d/dovecot.local ?

It needs a [Definition] section too like the filter.


That was the problem, thanks

 


You can tell us what filters/jails/log samples you're using and we can
get in incorporated too :-)


The log lines we have for failures, using mysql, are  (genuine users & their IP's are obfuscated) 

 

 

 

 

Jan 29 09:33:58 pop3-login: Info: Aborted login (auth failed, 1 attempts in 2 secs): user=<grace>, method=PLAIN, rip=212.9.180.3

Jan 29 09:34:17 pop3-login: Info: Aborted login (auth failed, 1 attempts in 62 secs): user=<carl.matx@sxxxxxxx.net>, method=PLAIN, rip=1.2.3.4, TLS

Jan 29 09:38:03 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 178 secs): user=<suzanne>, method=PLAIN, rip=117.218.51.80

Jan 29 09:38:46 pop3-login: Info: Disconnected (no auth attempts in 10 secs): user=<>, rip=176.61.137.100, TLS handshaking: SSL_accept() failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol

 

... there's a few imaps that have the same format as pop3-login

 

My current matching rules are based on the older "unanchored" methods, and may not catch all of above (tls handshare fail is a new logged error only noticed today) since its been while.

 

 

f^(?: imap-login|pop3-login): .*(?:Disconnected|Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*)$

^(?: imap-login|pop3-login): .*(?:Disconnected|Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*$

 

Yes, these are doubled up, because I could never get them to take plain _and_ tls|secure, it would only ever work on one or the other, hence my "doubling up" but, as mentioned, this is likely my lack of python knowledge, trying perl based regex's didnt work :)