diff --git a/lib/dovecot_parser.pm b/lib/dovecot_parser.pm
index 67e7735..5ce57ac 100644
--- a/lib/dovecot_parser.pm
+++ b/lib/dovecot_parser.pm
@@ -56,8 +56,11 @@ sub parser {
 			m/(((Info: |)conn unix:auth-worker \(uid=([0-9]{1,9})\): auth-worker<([0-9]{1,9}>: pam\(([a-zA-Z0-9@._-]*),($re_host),<($re_uid)>\): unknown user)))/gi && do {
 				$host	= $7; 
 			};
-	} elsif($string =~ m/ imap-login: (Info: |)Disconnected/) {
-		if($string =~ m/Connection closed/) {
+	} elsif($string =~ m/ imap-login: (Info: |)(Disconnected|Authenticate PLAIN failed)/) {
+		if($string =~ m/Connection closed \(client didn't send a cert\)/) {
+			$hostile	= 1;
+			$reply		= 'No certificate';
+		} elsif($string =~ m/Connection closed/) {
 			$hostile	= 0;
 			$reply		= 'Disconnecting is legit';
 		} elsif($string =~ m/ TLS handshaking: /) {
@@ -72,6 +75,9 @@ sub parser {
 		} elsif($string =~ m/client didn't finish SASL auth/) {
 			$reply		= 'Timeout waiting for SASL auth';
 			$hostile	= 1;
+		} elsif($string =~ m/client didn't send a cert/) {
+			$reply		= 'No cert from client';
+			$hostile	= 1;
 		} elsif($string =~ m/no auth attempts in/) {
 			if($string =~ m/, secured/) {
 				$reply		= 'Secured Disconnect during auth, either sleeping phone or attack on webmail';
@@ -80,6 +86,9 @@ sub parser {
 				$reply		= 'Non-secure disconnect during auth';
 				$hostile	= 1;
 			}
+		} elsif($string =~ m/Unsupported authentication mechanism/) {
+			$reply		= 'Unsupported auth mechanism';
+			$hostile	= 1;
 		}
 		if($hostile) {
 			$_		= $string;