diff --git a/fw_dovecot b/fw_dovecot
new file mode 100644
index 0000000..b0d3ea1
--- /dev/null
+++ b/fw_dovecot
@@ -0,0 +1,3 @@
+#Oct 25 06:13:28 nada dovecot: imap(fredrik)<24465><CRYxlSXPtyEuOxpv>: Connection closed (LIST finished 0.620 secs ago) in=50 out=4460 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
+
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([[:alnum:]]+\):\<[[:alnum:]]+\>\<[[:alnum:]]+\> Connection closed.*
diff --git a/fw_saslauthd b/fw_saslauthd
new file mode 100644
index 0000000..47eefa1
--- /dev/null
+++ b/fw_saslauthd
@@ -0,0 +1,9 @@
+#Mar 11 16:25:32 nada saslauthd[1732]: do_auth         : auth failure: [user=no-reply] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
+#Mar 11 16:27:11 nada saslauthd[1732]: do_auth         : auth failure: [user=Dr_Gonzo] [service=smtp] [realm=Challenge-UK.com] [mech=shadow] [reason=Unknown]
+#Apr 13 09:42:29 kvarnen saslauthd[620]: do_auth         : auth failure: [user=test] [service=] [realm=] [mech=pam] [reason=PAM auth error]
+#Apr 15 19:27:33 nada saslauthd[1732]: do_auth         : auth failure: [user=backuppc ] [service=smtp] [realm=wahlberg.se] [mech=shadow] [reason=Unknown]
+#Apr  2 16:58:34 nada saslauthd[619]: do_auth         : auth failure: [user=prueba] [service=smtp] [realm=] [mech=shadow] [reason=Invalid username]
+#Apr  2 19:08:45 nada saslauthd[604]: do_auth         : auth failure: [user=backup] [service=smtp] [realm=] [mech=shadow] [reason=Incorrect password]
+#Feb  6 02:20:14 nada saslauthd[610]: do_auth         : auth failure: [user=Adm1n!] [service=smtp] [realm=#] [mech=shadow] [reason=Invalid username]
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saslauthd\[[[:digit:]]+\]: do_auth[[:blank:]]+: auth failure: \[user=([[:print:]]+)?\] \[service=(smtp)?\] \[realm=([[:print:]]+)?\] \[mech=(pam|shadow)\] \[reason=(Unknown|PAM auth error|Invalid username|Incorrect password)\]
+
diff --git a/fw_spam b/fw_spam
new file mode 100644
index 0000000..58cfc80
--- /dev/null
+++ b/fw_spam
@@ -0,0 +1,6 @@
+#Mar  2 07:21:44 nada spamc[16024]: connect to spamd on 127.0.0.1 failed, retrying (#1 of 3): Connection refused
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamc\[[0-9]+\]: connect to spamd on (127.0.0.1|::1) failed, retrying \(#(1|2) of 3\): Connection refused
+
+#Nov 16 07:08:09 nada spamd[15284]: util: setuid: ruid=111 euid=111 rgid=65534 65534 egid=65534 65534
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: util: setuid: ruid=111 euid=111 rgid=65534 65534 egid=65534 65534
+