Hi,
The Cyrus pattern shipped in
/etc/pop-before-smtp/pop-before-smtp.conf looks like that:
$pat = '^(... .. ..:..:..) \S+
(?:pop3|imap)[ds]?[\d+]: ' .
'login: [^[\s]\s[[:f]*(\d+.\d+.\d+.\d+)] \S+
\S+';
On a Cyrus 2.2 System (Debian Etch) a pop3 login
creates a line like that in the mail.log:
Oct 23 21:47:27 mx3 cyrus/pop3[11390]: login:
my.reverse.xy [192.168.1.1] user@foo.bar plaintext User
logged in
Do you spot the problem? I am sure ;) There is the word
"cyrus/" missing. I guess that cyrus 2.2 did change
behavior. I added an optional non-backreferencing
pattern to match it and the line looks the that:
$pat = '^(... .. ..:..:..) \S+
(?:cyrus\/)(?:pop3|imap)[ds]?[\d+]: ' .
'login: [^[\s]\s[[:f]*(\d+.\d+.\d+.\d+)] \S+
\S+';
But I am pretty unsure, why the Regex should not match
a "User logged in" at the end. The IP should not be
auth'ed, if the last words sound like "verification
failed: Name or service not known" or "authentication
failure: checkpass failed", but the regex might work
because it requited the right amount of []. As as I
said: IMVHO the pattern should match "User logged in"
at the end.
Best Regrads,
derjohn
Anonymous
Logged In: YES
user_id=35204
The cyrus/ prefix was added in time for 1.39 (released in
January).
As for the matching after the IP part of the pattern, it may
well be that the matching is too lenient -- I have just
relied on users telling me what needs to be matched without
checking the code to see if it could output a failure that
might match. Also, do you know of any other success
messages besides "User logged in"?