Regex for Courier not working

Any help would be appreciated here. I've seen one or 2 other courier forum entries but the regex's there have not helped.

My log entry is:

Feb 9 04:51:25 pop3d: LOGIN FAILED, user=frances, ip=[62.219.166.87]

I've added the following regex to blockhosts.cfg:

"courier-LoginFail":
r'{LOG_PREFIX{pop3d}} LOGIN FAILED, ip=\[{HOST_IP}]',

and enabled it via:

ENABLE_RULES = r'(?i)(sshd|pop3d).*' # default (?i) for IGNORECASE matching

Now something definitely happens with pop3d as the following gets inserted into hosts.deny on a run:

#bh: logfile: /var/log/maillog
#bh: offset: 8527322
#bh: first line:Feb 6 04:12:53 nakedaa1 pop3d: Connection, ip=[196.210.228.192]

There are a lot of 'LOGIN FAILED' in the maillog file so many hosts should be tagged, but nothing gets tagged. Here are some entries:

Feb 9 05:07:48 hostname pop3d: LOGIN FAILED, user=jan, ip=[62.219.166.87]
Feb 9 05:07:48 hostname pop3d: LOGIN FAILED, user=jean, ip=[62.219.166.87]
Feb 9 05:07:49 hostname pop3d: LOGIN FAILED, user=jason, ip=[62.219.166.87]
Feb 9 05:07:50 hsotname pop3d: LOGIN FAILED, user=jeffry, ip=[62.219.166.87]
Feb 9 05:07:50 hostname pop3d: LOGIN FAILED, user=jeff, ip=[62.219.166.87]
Feb 9 05:07:51 hostname pop3d: LOGIN FAILED, user=jarod, ip=[62.219.166.87]
Feb 9 05:07:52 hostname pop3d: LOGIN FAILED, user=ivan, ip=[62.219.166.87]

So all from the same IP address so blockhosts should trigger on these. So this problem is about incorrect regex maybe before blocking.

courier login failed regex

Right, the regex fails to match (there is ,user left unmatched).
Try this:

    "courier-LoginFail":
        r'{LOG_PREFIX{pop3d}} LOGIN FAILED, user=.*, ip=\[{HOST_IP}]$'

Thanks ac, I've tried your

Thanks ac, I've tried your line but still no luck. To clarify, I have the following in blockhosts.cfg:

LOGFILES = [ "/var/log/secure", "/var/log/maillog", ]
ENABLE_RULES = r'(?i)(sshd|pop3d).*'
"courier-LoginFail":
r'{LOG_PREFIX{pop3d}} LOGIN FAILED, user=.*, ip=\[{HOST_IP}]$',

in hosts.deny:

sshd: ALL: spawn /usr/bin/blockhosts.py --echo "%c-%s" --ipblock="ip route" --mail --verbose >> /var/log/blockhosts.log 2>&1 & : allow

pop3d: ALL: spawn /usr/bin/blockhosts.py --echo "%c-%s" --ipblock="ip route" --mail --verbose >> /var/log/blockhosts.log 2>&1 & : allow

If I clean out the pop3d portion of hosts.deny and rerun 'blockhosts.py --verbose', I get:

blockhosts.py --verbose
blockhosts 2.4.0 started: 2011-03-17 12:20:14 GMT
... loaded /etc/hosts.deny, starting counts: blocked 23, watched 24
... loading log file /var/log/secure, offset: 31287
Warning: no offset found, will read from beginning in logfile: /var/log/maillog
... loading log file /var/log/maillog, offset: 0
... discarding all host entries older than 2011-03-10 12:20:14 GMT
... final counts: blocked 23, watched 24
... sending email notification

/var/log/maillog contains:

Mar 14 21:34:41 xxx pop3d: Connection, ip=[61.187.10.179]
Mar 14 21:34:42 xxx pop3d: LOGIN FAILED, user=root, ip=[61.187.10.179]
Mar 14 21:34:47 xxx pop3d: Disconnected, ip=[61.187.10.179]

Appreciate your help.

Regards, Robby

ENABLE_RULES requires different name

ENABLE_RULES = r'(?i)(sshd|pop3d).*' only enables rules with names atrting with sshd or pod3d.

So change the name from "courier-LoginFail" to "pop3d-courier" in the REGEXS list so that name starts with pop3d or change ENABLE_RULES to ENABLE_RULES = r'(?i)(sshd|pop3d|courier).*' and that should take care of it.