I’ve put a regex rule in CSF/LFD at /usr/local/csf/bin/regex.custom.pm;
# 535 Incorrect authentication data
# 8 tries; 2 day ban [customize]
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^.*dovecot_.*authenticator failed for.*\[(\S+)\]:\d+:\s+535 Incorrect authentication data .*/)) {
return ("Authenticator failed: 535 Incorrect authentication data from",$1,"dovecot_authenticator_failed","8","","172809");
}
where CUSTOM1_LOG = “/var/log/exim4/rejectlog” in /etc/csf/csf.conf
Something similar could also be accomplished with fail2ban, but I prefer CSF/LFD because I use its lists on several machines and they work together by sharing their bans etc.
Perhaps an idea to lift the “This topic will close a month after the last reply.” thing here. It’s really strange, for old usenet guys like me it was quite common to respond to threads that are years old… These topics keep being started, because I could not add to the previous ones…