I'm trying to get a working regex for Kerio Mailserver the security logs have the following

[23/May/2010 02:20:40] Failed POP3 login from 69.50.222.6, user diana@commgtonline.com.
[23/May/2010 02:20:42] Failed POP3 login from 69.50.222.6, user fred@commgtonline.com.
[23/May/2010 02:20:43] Failed POP3 login from 69.50.222.6, user matt@commgtonline.com.

i have searched the web (google) and can't find anything for kerio. ive tried the following without success.
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 510 $
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}?(?P<host>\S+)
# Values: TEXT
#
#timeregex = \S{3}[ ]{1,2}\d{1,2} \d{2}:\d{2}:\d{2}
#timepattern = %%d/%%m/%%Y %%H:%%M:%%S

failregex = \[Failed POP3 login from\].*from <HOST>


# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =


Any help would be greatly appreciated.

Thanks

roger at emailstore.us

That's odd because if I google://fail2ban +kerio then this (failregex = .* Failed (POP3|IMAP) login from <HOST>.*$) and that (failregex = POP3: Invalid password for user * Attempt from IP address \[.*:<HOST>\]) are the only two entries above this thread. Since you commented out your time regex maybe try "failregex = ^.*Failed POP3 login from <HOST>,.*$" (bit greedy) and if this doesn't work please don't say "it doesn't work" but use 'fail2ban-regex' to test.