Fail2Ban - postfix-sasl filter issue

[timber]

Hi!

I've been experiencing SASL authentication attacks and have been wondering why Fail2Ban didn't recognize and ban them:

Aug 16 16:18:29 hosting02 postfix/smtpd[9899]: warning: server.domain.com[AAA.BBB.CCC.DDD]: SASL login authentication failed: authentication failure

The "login" is in lowercase. This seems to have changed recently for some reason because when I google it, all I found are uppercase "LOGIN" log entries. Hence, the postfix-sasl filter regex:

failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed [ A-Za-z0-9+/]*={0,2})?\s*$

This simply did not match with my log entries in /var/log/maillog. The workaround was to match both entries. Lowercase and uppercase:

failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:login|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed [ A-Za-z0-9+/]*={0,2})?\s*$
^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed [ A-Za-z0-9+/]*={0,2})?\s*$

Did anybody else experience this?

Cheers