I'm very sorry, I messed up. The lines in my syslog read like this: Oct 21 21:36:33 phoenix imapd[1582]: connect from 192.168.1.3 (192.168.1.3) I'm not sure wether the first one is a hostname or the second, but the line should probably change to: ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imapd\[[0-9]+\]: (connect|(port (143|220)|imap(s SSL)?) service init) from [\.0-9]+ (\([\.0-9]+\))?$ -- Wouter de Vries <w.l.devries at student.tudelft.nl>