Dovecot filter Too many invalid(bad) commands

Environment:
Fail2Ban version 0.9.3-1 all
Ubuntu 16.04LTS, xenial
dovecot 2.2.22
Fail2Ban installed via OS/distribution mechanisms
You have not applied any additional foreign patches to the codebase
Some customizations were done to the configuration (provide details below is so)
The issue:
Following log lines from mail.log are not matched by current filter

Nov 26 11:11:21 hostname dovecot: imap-login: Disconnected: Too many invalid commands (tried to use disallowed plaintext auth): user=<willi>, rip=xx.xx.xxx.xx, lip=yy.yyy.yy.yy, session=<S5dIdTFCDKUWWMbU>

Nov 26 11:12:19 hostname dovecot: imap-login: Disconnected: Too many invalid commands (auth failed, 1 attempts in 17 secs): user=<willi>, method=PLAIN, rip=xx.xx.xxx.xx, lip=yy.yyy.yy.yy, TLS, session=<g3ZKeDECFqlWWMbU>

Relevant part: "Too many invalid commands"

Any additional information Changing the relevant part of failregex to:

failregex = ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity|: Too many invalid commands)? \(((auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=<HOST>(, lip=(\d{1,3}\.){3}\d{1,3})?(, TLS( handshaking(: SSL_accept\(\) failed: error:[\dA-F]+:SSL routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(: Disconnected)?)?(, session=<\S+>)?\s*$

helps to catch them all. I'm no regex expert, so better check it twice.