diff --git a/.tests/postfix-helo-very-slow/config.yaml b/.tests/postfix-helo-very-slow/config.yaml
new file mode 100644
index 00000000000..2f8c2480901
--- /dev/null
+++ b/.tests/postfix-helo-very-slow/config.yaml
@@ -0,0 +1,8 @@
+parsers:
+  - crowdsecurity/syslog-logs
+  - crowdsecurity/postfix-logs
+  - crowdsecurity/dateparse-enrich
+scenarios:
+  - scenarios/melite/postfix-helo-very-slow.yaml
+log_file: postfix-helo-very-slow.log
+log_type: syslog
diff --git a/.tests/postfix-helo-very-slow/parser.assert b/.tests/postfix-helo-very-slow/parser.assert
new file mode 100644
index 00000000000..120686c7a12
--- /dev/null
+++ b/.tests/postfix-helo-very-slow/parser.assert
@@ -0,0 +1,437 @@
+len(results) == 4
+len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 6
+results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == true
+results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["logsource"] == "syslog"
+results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["message"] == "NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 <invalid>: Helo command rejected: need fully-qualified hostname; from=<sender@spam.example> to=<user@example.com> proto=ESMTP helo=<invalid>"
+results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["pid"] == "43001"
+results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["program"] == "postfix/smtpd"
+results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["timestamp"] == "Jan 15 08:00:00"
+basename(results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_path"]) == "postfix-helo-very-slow.log"
+results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["machine"] == "server"
+results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Whitelisted == false
+results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == true
+results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["logsource"] == "syslog"
+results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["message"] == "NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 <invalid>: Helo command rejected: need fully-qualified hostname; from=<sender2@spam.example> to=<user2@example.com> proto=ESMTP helo=<invalid>"
+results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["pid"] == "43002"
+results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["program"] == "postfix/smtpd"
+results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["timestamp"] == "Jan 15 08:40:00"
+basename(results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_path"]) == "postfix-helo-very-slow.log"
+results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["machine"] == "server"
+results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Whitelisted == false
+results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == true
+results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["logsource"] == "syslog"
+results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["message"] == "NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 <invalid>: Helo command rejected: need fully-qualified hostname; from=<sender3@spam.example> to=<user3@example.com> proto=ESMTP helo=<invalid>"
+results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["pid"] == "43003"
+results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["program"] == "postfix/smtpd"
+results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["timestamp"] == "Jan 15 09:20:00"
+basename(results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_path"]) == "postfix-helo-very-slow.log"
+results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["machine"] == "server"
+results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Whitelisted == false
+results["s00-raw"]["crowdsecurity/syslog-logs"][3].Success == true
+results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["logsource"] == "syslog"
+results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["message"] == "NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 <invalid>: Helo command rejected: need fully-qualified hostname; from=<sender4@spam.example> to=<user4@example.com> proto=ESMTP helo=<invalid>"
+results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["pid"] == "43004"
+results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["program"] == "postfix/smtpd"
+results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["timestamp"] == "Jan 15 10:00:00"
+basename(results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["datasource_path"]) == "postfix-helo-very-slow.log"
+results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["machine"] == "server"
+results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Whitelisted == false
+results["s00-raw"]["crowdsecurity/syslog-logs"][4].Success == true
+results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["logsource"] == "syslog"
+results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["message"] == "NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 <invalid>: Helo command rejected: need fully-qualified hostname; from=<sender5@spam.example> to=<user5@example.com> proto=ESMTP helo=<invalid>"
+results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["pid"] == "43005"
+results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["program"] == "postfix/smtpd"
+results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["timestamp"] == "Jan 15 10:40:00"
+basename(results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["datasource_path"]) == "postfix-helo-very-slow.log"
+results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["machine"] == "server"
+results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Whitelisted == false
+results["s00-raw"]["crowdsecurity/syslog-logs"][5].Success == true
+results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["logsource"] == "syslog"
+results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["message"] == "NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 <invalid>: Helo command rejected: need fully-qualified hostname; from=<sender6@spam.example> to=<user6@example.com> proto=ESMTP helo=<invalid>"
+results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["pid"] == "43006"
+results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["program"] == "postfix/smtpd"
+results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["timestamp"] == "Jan 15 11:20:00"
+basename(results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["datasource_path"]) == "postfix-helo-very-slow.log"
+results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["machine"] == "server"
+results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Whitelisted == false
+len(results["s01-parse"]["crowdsecurity/postfix-logs"]) == 6
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Success == true
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["action"] == "reject"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["command"] == "RCPT"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["helo"] == "invalid"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["kvItems"] == "from=<sender@spam.example> to=<user@example.com> proto=ESMTP helo=<invalid>"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["logsource"] == "syslog"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["message"] == "NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 <invalid>: Helo command rejected: need fully-qualified hostname; from=<sender@spam.example> to=<user@example.com> proto=ESMTP helo=<invalid>"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["pid"] == "43001"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["program"] == "postfix/smtpd"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["reason"] == "Helo command rejected: need fully-qualified hostname"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["remote_addr"] == "203.0.113.1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["remote_host"] == "unknown"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["smtp_basic_status_code"] == "504"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["smtp_enhanced_status_code"] == "5.5.2"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["smtp_return_codes"] == "504 5.5.2"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["timestamp"] == "Jan 15 08:00:00"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["action"] == "reject"
+basename(results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["datasource_path"]) == "postfix-helo-very-slow.log"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["log_type"] == "postfix"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["machine"] == "server"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["reason"] == "Helo command rejected: need fully-qualified hostname"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["service"] == "postfix"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["source_hostname"] == "unknown"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["source_ip"] == "203.0.113.1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Unmarshaled["postfix"]["helo"] == "<invalid>"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Unmarshaled["postfix"]["proto"] == "ESMTP"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Unmarshaled["postfix"]["to"] == "<user@example.com>"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Unmarshaled["postfix"]["from"] == "<sender@spam.example>"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Whitelisted == false
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Success == true
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["action"] == "reject"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["command"] == "RCPT"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["helo"] == "invalid"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["kvItems"] == "from=<sender2@spam.example> to=<user2@example.com> proto=ESMTP helo=<invalid>"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["logsource"] == "syslog"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["message"] == "NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 <invalid>: Helo command rejected: need fully-qualified hostname; from=<sender2@spam.example> to=<user2@example.com> proto=ESMTP helo=<invalid>"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["pid"] == "43002"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["program"] == "postfix/smtpd"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["reason"] == "Helo command rejected: need fully-qualified hostname"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["remote_addr"] == "203.0.113.1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["remote_host"] == "unknown"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["smtp_basic_status_code"] == "504"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["smtp_enhanced_status_code"] == "5.5.2"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["smtp_return_codes"] == "504 5.5.2"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["timestamp"] == "Jan 15 08:40:00"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["action"] == "reject"
+basename(results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["datasource_path"]) == "postfix-helo-very-slow.log"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["log_type"] == "postfix"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["machine"] == "server"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["reason"] == "Helo command rejected: need fully-qualified hostname"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["service"] == "postfix"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["source_hostname"] == "unknown"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["source_ip"] == "203.0.113.1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Unmarshaled["postfix"]["from"] == "<sender2@spam.example>"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Unmarshaled["postfix"]["helo"] == "<invalid>"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Unmarshaled["postfix"]["proto"] == "ESMTP"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Unmarshaled["postfix"]["to"] == "<user2@example.com>"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Whitelisted == false
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Success == true
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["action"] == "reject"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["command"] == "RCPT"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["helo"] == "invalid"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["kvItems"] == "from=<sender3@spam.example> to=<user3@example.com> proto=ESMTP helo=<invalid>"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["logsource"] == "syslog"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["message"] == "NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 <invalid>: Helo command rejected: need fully-qualified hostname; from=<sender3@spam.example> to=<user3@example.com> proto=ESMTP helo=<invalid>"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["pid"] == "43003"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["program"] == "postfix/smtpd"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["reason"] == "Helo command rejected: need fully-qualified hostname"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["remote_addr"] == "203.0.113.1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["remote_host"] == "unknown"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["smtp_basic_status_code"] == "504"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["smtp_enhanced_status_code"] == "5.5.2"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["smtp_return_codes"] == "504 5.5.2"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["timestamp"] == "Jan 15 09:20:00"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["action"] == "reject"
+basename(results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["datasource_path"]) == "postfix-helo-very-slow.log"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["log_type"] == "postfix"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["machine"] == "server"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["reason"] == "Helo command rejected: need fully-qualified hostname"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["service"] == "postfix"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["source_hostname"] == "unknown"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["source_ip"] == "203.0.113.1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Unmarshaled["postfix"]["from"] == "<sender3@spam.example>"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Unmarshaled["postfix"]["helo"] == "<invalid>"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Unmarshaled["postfix"]["proto"] == "ESMTP"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Unmarshaled["postfix"]["to"] == "<user3@example.com>"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Whitelisted == false
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Success == true
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["action"] == "reject"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["command"] == "RCPT"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["helo"] == "invalid"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["kvItems"] == "from=<sender4@spam.example> to=<user4@example.com> proto=ESMTP helo=<invalid>"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["logsource"] == "syslog"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["message"] == "NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 <invalid>: Helo command rejected: need fully-qualified hostname; from=<sender4@spam.example> to=<user4@example.com> proto=ESMTP helo=<invalid>"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["pid"] == "43004"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["program"] == "postfix/smtpd"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["reason"] == "Helo command rejected: need fully-qualified hostname"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["remote_addr"] == "203.0.113.1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["remote_host"] == "unknown"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["smtp_basic_status_code"] == "504"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["smtp_enhanced_status_code"] == "5.5.2"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["smtp_return_codes"] == "504 5.5.2"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["timestamp"] == "Jan 15 10:00:00"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["action"] == "reject"
+basename(results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["datasource_path"]) == "postfix-helo-very-slow.log"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["log_type"] == "postfix"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["machine"] == "server"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["reason"] == "Helo command rejected: need fully-qualified hostname"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["service"] == "postfix"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["source_hostname"] == "unknown"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["source_ip"] == "203.0.113.1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Unmarshaled["postfix"]["from"] == "<sender4@spam.example>"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Unmarshaled["postfix"]["helo"] == "<invalid>"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Unmarshaled["postfix"]["proto"] == "ESMTP"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Unmarshaled["postfix"]["to"] == "<user4@example.com>"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Whitelisted == false
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Success == true
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["action"] == "reject"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["command"] == "RCPT"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["helo"] == "invalid"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["kvItems"] == "from=<sender5@spam.example> to=<user5@example.com> proto=ESMTP helo=<invalid>"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["logsource"] == "syslog"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["message"] == "NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 <invalid>: Helo command rejected: need fully-qualified hostname; from=<sender5@spam.example> to=<user5@example.com> proto=ESMTP helo=<invalid>"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["pid"] == "43005"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["program"] == "postfix/smtpd"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["reason"] == "Helo command rejected: need fully-qualified hostname"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["remote_addr"] == "203.0.113.1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["remote_host"] == "unknown"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["smtp_basic_status_code"] == "504"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["smtp_enhanced_status_code"] == "5.5.2"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["smtp_return_codes"] == "504 5.5.2"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["timestamp"] == "Jan 15 10:40:00"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["action"] == "reject"
+basename(results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["datasource_path"]) == "postfix-helo-very-slow.log"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["log_type"] == "postfix"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["machine"] == "server"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["reason"] == "Helo command rejected: need fully-qualified hostname"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["service"] == "postfix"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["source_hostname"] == "unknown"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["source_ip"] == "203.0.113.1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Unmarshaled["postfix"]["from"] == "<sender5@spam.example>"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Unmarshaled["postfix"]["helo"] == "<invalid>"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Unmarshaled["postfix"]["proto"] == "ESMTP"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Unmarshaled["postfix"]["to"] == "<user5@example.com>"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Whitelisted == false
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Success == true
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["action"] == "reject"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["command"] == "RCPT"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["helo"] == "invalid"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["kvItems"] == "from=<sender6@spam.example> to=<user6@example.com> proto=ESMTP helo=<invalid>"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["logsource"] == "syslog"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["message"] == "NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 <invalid>: Helo command rejected: need fully-qualified hostname; from=<sender6@spam.example> to=<user6@example.com> proto=ESMTP helo=<invalid>"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["pid"] == "43006"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["program"] == "postfix/smtpd"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["reason"] == "Helo command rejected: need fully-qualified hostname"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["remote_addr"] == "203.0.113.1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["remote_host"] == "unknown"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["smtp_basic_status_code"] == "504"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["smtp_enhanced_status_code"] == "5.5.2"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["smtp_return_codes"] == "504 5.5.2"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["timestamp"] == "Jan 15 11:20:00"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Meta["action"] == "reject"
+basename(results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Meta["datasource_path"]) == "postfix-helo-very-slow.log"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Meta["log_type"] == "postfix"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Meta["machine"] == "server"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Meta["reason"] == "Helo command rejected: need fully-qualified hostname"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Meta["service"] == "postfix"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Meta["source_hostname"] == "unknown"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Meta["source_ip"] == "203.0.113.1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Unmarshaled["postfix"]["from"] == "<sender6@spam.example>"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Unmarshaled["postfix"]["helo"] == "<invalid>"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Unmarshaled["postfix"]["proto"] == "ESMTP"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Unmarshaled["postfix"]["to"] == "<user6@example.com>"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Whitelisted == false
+len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 6
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["action"] == "reject"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["command"] == "RCPT"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["helo"] == "invalid"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["kvItems"] == "from=<sender@spam.example> to=<user@example.com> proto=ESMTP helo=<invalid>"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["logsource"] == "syslog"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 <invalid>: Helo command rejected: need fully-qualified hostname; from=<sender@spam.example> to=<user@example.com> proto=ESMTP helo=<invalid>"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["pid"] == "43001"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "postfix/smtpd"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["reason"] == "Helo command rejected: need fully-qualified hostname"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["remote_addr"] == "203.0.113.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["remote_host"] == "unknown"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["smtp_basic_status_code"] == "504"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["smtp_enhanced_status_code"] == "5.5.2"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["smtp_return_codes"] == "504 5.5.2"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp"] == "Jan 15 08:00:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["action"] == "reject"
+basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "postfix-helo-very-slow.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "postfix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["machine"] == "server"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["reason"] == "Helo command rejected: need fully-qualified hostname"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "postfix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_hostname"] == "unknown"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "203.0.113.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2026-01-15T08:00:00Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2026-01-15T08:00:00Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["postfix"]["helo"] == "<invalid>"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["postfix"]["proto"] == "ESMTP"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["postfix"]["to"] == "<user@example.com>"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["postfix"]["from"] == "<sender@spam.example>"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["action"] == "reject"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["command"] == "RCPT"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["helo"] == "invalid"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["kvItems"] == "from=<sender2@spam.example> to=<user2@example.com> proto=ESMTP helo=<invalid>"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["logsource"] == "syslog"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 <invalid>: Helo command rejected: need fully-qualified hostname; from=<sender2@spam.example> to=<user2@example.com> proto=ESMTP helo=<invalid>"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["pid"] == "43002"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "postfix/smtpd"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["reason"] == "Helo command rejected: need fully-qualified hostname"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["remote_addr"] == "203.0.113.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["remote_host"] == "unknown"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["smtp_basic_status_code"] == "504"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["smtp_enhanced_status_code"] == "5.5.2"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["smtp_return_codes"] == "504 5.5.2"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp"] == "Jan 15 08:40:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["action"] == "reject"
+basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"]) == "postfix-helo-very-slow.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "postfix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["machine"] == "server"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["reason"] == "Helo command rejected: need fully-qualified hostname"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "postfix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_hostname"] == "unknown"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "203.0.113.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2026-01-15T08:40:00Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2026-01-15T08:40:00Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["postfix"]["from"] == "<sender2@spam.example>"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["postfix"]["helo"] == "<invalid>"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["postfix"]["proto"] == "ESMTP"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["postfix"]["to"] == "<user2@example.com>"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["action"] == "reject"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["command"] == "RCPT"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["helo"] == "invalid"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["kvItems"] == "from=<sender3@spam.example> to=<user3@example.com> proto=ESMTP helo=<invalid>"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["logsource"] == "syslog"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 <invalid>: Helo command rejected: need fully-qualified hostname; from=<sender3@spam.example> to=<user3@example.com> proto=ESMTP helo=<invalid>"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["pid"] == "43003"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] == "postfix/smtpd"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["reason"] == "Helo command rejected: need fully-qualified hostname"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["remote_addr"] == "203.0.113.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["remote_host"] == "unknown"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["smtp_basic_status_code"] == "504"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["smtp_enhanced_status_code"] == "5.5.2"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["smtp_return_codes"] == "504 5.5.2"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["timestamp"] == "Jan 15 09:20:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["action"] == "reject"
+basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"]) == "postfix-helo-very-slow.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "postfix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["machine"] == "server"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["reason"] == "Helo command rejected: need fully-qualified hostname"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["service"] == "postfix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_hostname"] == "unknown"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "203.0.113.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2026-01-15T09:20:00Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"] == "2026-01-15T09:20:00Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["postfix"]["helo"] == "<invalid>"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["postfix"]["proto"] == "ESMTP"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["postfix"]["to"] == "<user3@example.com>"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["postfix"]["from"] == "<sender3@spam.example>"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Whitelisted == false
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["action"] == "reject"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["command"] == "RCPT"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["helo"] == "invalid"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["kvItems"] == "from=<sender4@spam.example> to=<user4@example.com> proto=ESMTP helo=<invalid>"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["logsource"] == "syslog"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["message"] == "NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 <invalid>: Helo command rejected: need fully-qualified hostname; from=<sender4@spam.example> to=<user4@example.com> proto=ESMTP helo=<invalid>"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["pid"] == "43004"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["program"] == "postfix/smtpd"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["reason"] == "Helo command rejected: need fully-qualified hostname"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["remote_addr"] == "203.0.113.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["remote_host"] == "unknown"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["smtp_basic_status_code"] == "504"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["smtp_enhanced_status_code"] == "5.5.2"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["smtp_return_codes"] == "504 5.5.2"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["timestamp"] == "Jan 15 10:00:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["action"] == "reject"
+basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"]) == "postfix-helo-very-slow.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_type"] == "postfix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["machine"] == "server"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["reason"] == "Helo command rejected: need fully-qualified hostname"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["service"] == "postfix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_hostname"] == "unknown"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_ip"] == "203.0.113.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["timestamp"] == "2026-01-15T10:00:00Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Enriched["MarshaledTime"] == "2026-01-15T10:00:00Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["postfix"]["helo"] == "<invalid>"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["postfix"]["proto"] == "ESMTP"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["postfix"]["to"] == "<user4@example.com>"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["postfix"]["from"] == "<sender4@spam.example>"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Whitelisted == false
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["action"] == "reject"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["command"] == "RCPT"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["helo"] == "invalid"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["kvItems"] == "from=<sender5@spam.example> to=<user5@example.com> proto=ESMTP helo=<invalid>"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["logsource"] == "syslog"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["message"] == "NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 <invalid>: Helo command rejected: need fully-qualified hostname; from=<sender5@spam.example> to=<user5@example.com> proto=ESMTP helo=<invalid>"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["pid"] == "43005"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["program"] == "postfix/smtpd"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["reason"] == "Helo command rejected: need fully-qualified hostname"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["remote_addr"] == "203.0.113.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["remote_host"] == "unknown"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["smtp_basic_status_code"] == "504"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["smtp_enhanced_status_code"] == "5.5.2"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["smtp_return_codes"] == "504 5.5.2"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["timestamp"] == "Jan 15 10:40:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["action"] == "reject"
+basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_path"]) == "postfix-helo-very-slow.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["log_type"] == "postfix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["machine"] == "server"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["reason"] == "Helo command rejected: need fully-qualified hostname"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["service"] == "postfix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_hostname"] == "unknown"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_ip"] == "203.0.113.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["timestamp"] == "2026-01-15T10:40:00Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Enriched["MarshaledTime"] == "2026-01-15T10:40:00Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Unmarshaled["postfix"]["proto"] == "ESMTP"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Unmarshaled["postfix"]["to"] == "<user5@example.com>"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Unmarshaled["postfix"]["from"] == "<sender5@spam.example>"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Unmarshaled["postfix"]["helo"] == "<invalid>"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Whitelisted == false
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["action"] == "reject"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["command"] == "RCPT"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["helo"] == "invalid"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["kvItems"] == "from=<sender6@spam.example> to=<user6@example.com> proto=ESMTP helo=<invalid>"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["logsource"] == "syslog"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["message"] == "NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 <invalid>: Helo command rejected: need fully-qualified hostname; from=<sender6@spam.example> to=<user6@example.com> proto=ESMTP helo=<invalid>"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["pid"] == "43006"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["program"] == "postfix/smtpd"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["reason"] == "Helo command rejected: need fully-qualified hostname"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["remote_addr"] == "203.0.113.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["remote_host"] == "unknown"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["smtp_basic_status_code"] == "504"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["smtp_enhanced_status_code"] == "5.5.2"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["smtp_return_codes"] == "504 5.5.2"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["timestamp"] == "Jan 15 11:20:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["action"] == "reject"
+basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_path"]) == "postfix-helo-very-slow.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["log_type"] == "postfix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["machine"] == "server"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["reason"] == "Helo command rejected: need fully-qualified hostname"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["service"] == "postfix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["source_hostname"] == "unknown"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["source_ip"] == "203.0.113.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["timestamp"] == "2026-01-15T11:20:00Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Enriched["MarshaledTime"] == "2026-01-15T11:20:00Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Unmarshaled["postfix"]["from"] == "<sender6@spam.example>"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Unmarshaled["postfix"]["helo"] == "<invalid>"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Unmarshaled["postfix"]["proto"] == "ESMTP"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Unmarshaled["postfix"]["to"] == "<user6@example.com>"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Whitelisted == false
+len(results["success"][""]) == 0
diff --git a/.tests/postfix-helo-very-slow/postfix-helo-very-slow.log b/.tests/postfix-helo-very-slow/postfix-helo-very-slow.log
new file mode 100644
index 00000000000..eae750afc8e
--- /dev/null
+++ b/.tests/postfix-helo-very-slow/postfix-helo-very-slow.log
@@ -0,0 +1,6 @@
+Jan 15 08:00:00 server postfix/smtpd[43001]: NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 <invalid>: Helo command rejected: need fully-qualified hostname; from=<sender@spam.example> to=<user@example.com> proto=ESMTP helo=<invalid>
+Jan 15 08:40:00 server postfix/smtpd[43002]: NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 <invalid>: Helo command rejected: need fully-qualified hostname; from=<sender2@spam.example> to=<user2@example.com> proto=ESMTP helo=<invalid>
+Jan 15 09:20:00 server postfix/smtpd[43003]: NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 <invalid>: Helo command rejected: need fully-qualified hostname; from=<sender3@spam.example> to=<user3@example.com> proto=ESMTP helo=<invalid>
+Jan 15 10:00:00 server postfix/smtpd[43004]: NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 <invalid>: Helo command rejected: need fully-qualified hostname; from=<sender4@spam.example> to=<user4@example.com> proto=ESMTP helo=<invalid>
+Jan 15 10:40:00 server postfix/smtpd[43005]: NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 <invalid>: Helo command rejected: need fully-qualified hostname; from=<sender5@spam.example> to=<user5@example.com> proto=ESMTP helo=<invalid>
+Jan 15 11:20:00 server postfix/smtpd[43006]: NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 <invalid>: Helo command rejected: need fully-qualified hostname; from=<sender6@spam.example> to=<user6@example.com> proto=ESMTP helo=<invalid>
diff --git a/.tests/postfix-helo-very-slow/scenario.assert b/.tests/postfix-helo-very-slow/scenario.assert
new file mode 100644
index 00000000000..514ffa07c75
--- /dev/null
+++ b/.tests/postfix-helo-very-slow/scenario.assert
@@ -0,0 +1,69 @@
+len(results) == 1
+"203.0.113.1" in results[0].Overflow.GetSources()
+results[0].Overflow.Sources["203.0.113.1"].IP == "203.0.113.1"
+results[0].Overflow.Sources["203.0.113.1"].Range == ""
+results[0].Overflow.Sources["203.0.113.1"].GetScope() == "Ip"
+results[0].Overflow.Sources["203.0.113.1"].GetValue() == "203.0.113.1"
+results[0].Overflow.Alert.Events[0].GetMeta("action") == "reject"
+basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "postfix-helo-very-slow.log"
+results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "postfix"
+results[0].Overflow.Alert.Events[0].GetMeta("machine") == "server"
+results[0].Overflow.Alert.Events[0].GetMeta("reason") == "Helo command rejected: need fully-qualified hostname"
+results[0].Overflow.Alert.Events[0].GetMeta("service") == "postfix"
+results[0].Overflow.Alert.Events[0].GetMeta("source_hostname") == "unknown"
+results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "203.0.113.1"
+results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2026-01-15T08:00:00Z"
+results[0].Overflow.Alert.Events[1].GetMeta("action") == "reject"
+basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "postfix-helo-very-slow.log"
+results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "postfix"
+results[0].Overflow.Alert.Events[1].GetMeta("machine") == "server"
+results[0].Overflow.Alert.Events[1].GetMeta("reason") == "Helo command rejected: need fully-qualified hostname"
+results[0].Overflow.Alert.Events[1].GetMeta("service") == "postfix"
+results[0].Overflow.Alert.Events[1].GetMeta("source_hostname") == "unknown"
+results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "203.0.113.1"
+results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2026-01-15T08:40:00Z"
+results[0].Overflow.Alert.Events[2].GetMeta("action") == "reject"
+basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "postfix-helo-very-slow.log"
+results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "postfix"
+results[0].Overflow.Alert.Events[2].GetMeta("machine") == "server"
+results[0].Overflow.Alert.Events[2].GetMeta("reason") == "Helo command rejected: need fully-qualified hostname"
+results[0].Overflow.Alert.Events[2].GetMeta("service") == "postfix"
+results[0].Overflow.Alert.Events[2].GetMeta("source_hostname") == "unknown"
+results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "203.0.113.1"
+results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2026-01-15T09:20:00Z"
+results[0].Overflow.Alert.Events[3].GetMeta("action") == "reject"
+basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "postfix-helo-very-slow.log"
+results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "postfix"
+results[0].Overflow.Alert.Events[3].GetMeta("machine") == "server"
+results[0].Overflow.Alert.Events[3].GetMeta("reason") == "Helo command rejected: need fully-qualified hostname"
+results[0].Overflow.Alert.Events[3].GetMeta("service") == "postfix"
+results[0].Overflow.Alert.Events[3].GetMeta("source_hostname") == "unknown"
+results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "203.0.113.1"
+results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2026-01-15T10:00:00Z"
+results[0].Overflow.Alert.Events[4].GetMeta("action") == "reject"
+basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "postfix-helo-very-slow.log"
+results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "postfix"
+results[0].Overflow.Alert.Events[4].GetMeta("machine") == "server"
+results[0].Overflow.Alert.Events[4].GetMeta("reason") == "Helo command rejected: need fully-qualified hostname"
+results[0].Overflow.Alert.Events[4].GetMeta("service") == "postfix"
+results[0].Overflow.Alert.Events[4].GetMeta("source_hostname") == "unknown"
+results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "203.0.113.1"
+results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2026-01-15T10:40:00Z"
+results[0].Overflow.Alert.Events[5].GetMeta("action") == "reject"
+basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "postfix-helo-very-slow.log"
+results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "postfix"
+results[0].Overflow.Alert.Events[5].GetMeta("machine") == "server"
+results[0].Overflow.Alert.Events[5].GetMeta("reason") == "Helo command rejected: need fully-qualified hostname"
+results[0].Overflow.Alert.Events[5].GetMeta("service") == "postfix"
+results[0].Overflow.Alert.Events[5].GetMeta("source_hostname") == "unknown"
+results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "203.0.113.1"
+results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2026-01-15T11:20:00Z"
+results[0].Overflow.Alert.GetScenario() == "melite/postfix-helo-very-slow"
+results[0].Overflow.Alert.Remediation == true
+results[0].Overflow.Alert.GetEventsCount() == 6
diff --git a/.tests/postfix-slow-bf/config.yaml b/.tests/postfix-slow-bf/config.yaml
new file mode 100644
index 00000000000..be7be08ad6f
--- /dev/null
+++ b/.tests/postfix-slow-bf/config.yaml
@@ -0,0 +1,8 @@
+parsers:
+  - crowdsecurity/syslog-logs
+  - crowdsecurity/postfix-logs
+  - crowdsecurity/dateparse-enrich
+scenarios:
+  - scenarios/melite/postfix-slow-bf.yaml
+log_file: postfix-slow-bf.log
+log_type: syslog
diff --git a/.tests/postfix-slow-bf/parser.assert b/.tests/postfix-slow-bf/parser.assert
new file mode 100644
index 00000000000..6c760820f96
--- /dev/null
+++ b/.tests/postfix-slow-bf/parser.assert
@@ -0,0 +1,389 @@
+len(results) == 4
+len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 8
+results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == true
+results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["logsource"] == "syslog"
+results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["message"] == "warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure"
+results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["pid"] == "40001"
+results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["program"] == "postfix/smtpd"
+results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["timestamp"] == "Jan 15 10:00:00"
+basename(results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_path"]) == "postfix-slow-bf.log"
+results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["machine"] == "server"
+results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Whitelisted == false
+results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == true
+results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["logsource"] == "syslog"
+results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["message"] == "warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure"
+results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["pid"] == "40002"
+results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["program"] == "postfix/smtpd"
+results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["timestamp"] == "Jan 15 10:01:30"
+basename(results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_path"]) == "postfix-slow-bf.log"
+results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["machine"] == "server"
+results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Whitelisted == false
+results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == true
+results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["logsource"] == "syslog"
+results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["message"] == "warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure"
+results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["pid"] == "40003"
+results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["program"] == "postfix/smtpd"
+results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["timestamp"] == "Jan 15 10:03:00"
+basename(results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_path"]) == "postfix-slow-bf.log"
+results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["machine"] == "server"
+results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Whitelisted == false
+results["s00-raw"]["crowdsecurity/syslog-logs"][3].Success == true
+results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["logsource"] == "syslog"
+results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["message"] == "warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure"
+results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["pid"] == "40004"
+results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["program"] == "postfix/smtpd"
+results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["timestamp"] == "Jan 15 10:04:30"
+basename(results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["datasource_path"]) == "postfix-slow-bf.log"
+results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["machine"] == "server"
+results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Whitelisted == false
+results["s00-raw"]["crowdsecurity/syslog-logs"][4].Success == true
+results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["logsource"] == "syslog"
+results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["message"] == "warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure"
+results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["pid"] == "40005"
+results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["program"] == "postfix/smtpd"
+results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["timestamp"] == "Jan 15 10:06:00"
+basename(results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["datasource_path"]) == "postfix-slow-bf.log"
+results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["machine"] == "server"
+results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Whitelisted == false
+results["s00-raw"]["crowdsecurity/syslog-logs"][5].Success == true
+results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["logsource"] == "syslog"
+results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["message"] == "warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure"
+results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["pid"] == "40006"
+results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["program"] == "postfix/smtpd"
+results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["timestamp"] == "Jan 15 10:07:30"
+basename(results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["datasource_path"]) == "postfix-slow-bf.log"
+results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["machine"] == "server"
+results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Whitelisted == false
+results["s00-raw"]["crowdsecurity/syslog-logs"][6].Success == true
+results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Parsed["logsource"] == "syslog"
+results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Parsed["message"] == "warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure"
+results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Parsed["pid"] == "40007"
+results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Parsed["program"] == "postfix/smtpd"
+results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Parsed["timestamp"] == "Jan 15 10:09:00"
+basename(results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Meta["datasource_path"]) == "postfix-slow-bf.log"
+results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Meta["machine"] == "server"
+results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Whitelisted == false
+results["s00-raw"]["crowdsecurity/syslog-logs"][7].Success == true
+results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Parsed["logsource"] == "syslog"
+results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Parsed["message"] == "warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure"
+results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Parsed["pid"] == "40008"
+results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Parsed["program"] == "postfix/smtpd"
+results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Parsed["timestamp"] == "Jan 15 10:10:30"
+basename(results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Meta["datasource_path"]) == "postfix-slow-bf.log"
+results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Meta["machine"] == "server"
+results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Whitelisted == false
+len(results["s01-parse"]["crowdsecurity/postfix-logs"]) == 8
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Success == true
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["logsource"] == "syslog"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["message"] == "warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["message_failure"] == " authentication failure"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["pid"] == "40001"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["program"] == "postfix/smtpd"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["remote_addr"] == "192.0.2.1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["remote_host"] == "unknown"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["timestamp"] == "Jan 15 10:00:00"
+basename(results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["datasource_path"]) == "postfix-slow-bf.log"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["log_type"] == "postfix"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["log_type_enh"] == "spam-attempt"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["machine"] == "server"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["service"] == "postfix"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["source_hostname"] == "unknown"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["source_ip"] == "192.0.2.1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Whitelisted == false
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Success == true
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["logsource"] == "syslog"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["message"] == "warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["message_failure"] == " authentication failure"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["pid"] == "40002"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["program"] == "postfix/smtpd"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["remote_addr"] == "192.0.2.1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["remote_host"] == "unknown"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["timestamp"] == "Jan 15 10:01:30"
+basename(results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["datasource_path"]) == "postfix-slow-bf.log"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["log_type"] == "postfix"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["log_type_enh"] == "spam-attempt"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["machine"] == "server"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["service"] == "postfix"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["source_hostname"] == "unknown"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["source_ip"] == "192.0.2.1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Whitelisted == false
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Success == true
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["logsource"] == "syslog"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["message"] == "warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["message_failure"] == " authentication failure"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["pid"] == "40003"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["program"] == "postfix/smtpd"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["remote_addr"] == "192.0.2.1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["remote_host"] == "unknown"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["timestamp"] == "Jan 15 10:03:00"
+basename(results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["datasource_path"]) == "postfix-slow-bf.log"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["log_type"] == "postfix"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["log_type_enh"] == "spam-attempt"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["machine"] == "server"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["service"] == "postfix"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["source_hostname"] == "unknown"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["source_ip"] == "192.0.2.1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Whitelisted == false
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Success == true
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["logsource"] == "syslog"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["message"] == "warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["message_failure"] == " authentication failure"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["pid"] == "40004"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["program"] == "postfix/smtpd"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["remote_addr"] == "192.0.2.1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["remote_host"] == "unknown"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["timestamp"] == "Jan 15 10:04:30"
+basename(results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["datasource_path"]) == "postfix-slow-bf.log"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["log_type"] == "postfix"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["log_type_enh"] == "spam-attempt"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["machine"] == "server"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["service"] == "postfix"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["source_hostname"] == "unknown"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["source_ip"] == "192.0.2.1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Whitelisted == false
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Success == true
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["logsource"] == "syslog"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["message"] == "warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["message_failure"] == " authentication failure"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["pid"] == "40005"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["program"] == "postfix/smtpd"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["remote_addr"] == "192.0.2.1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["remote_host"] == "unknown"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["timestamp"] == "Jan 15 10:06:00"
+basename(results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["datasource_path"]) == "postfix-slow-bf.log"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["log_type"] == "postfix"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["log_type_enh"] == "spam-attempt"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["machine"] == "server"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["service"] == "postfix"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["source_hostname"] == "unknown"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["source_ip"] == "192.0.2.1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Whitelisted == false
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Success == true
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["logsource"] == "syslog"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["message"] == "warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["message_failure"] == " authentication failure"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["pid"] == "40006"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["program"] == "postfix/smtpd"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["remote_addr"] == "192.0.2.1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["remote_host"] == "unknown"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["timestamp"] == "Jan 15 10:07:30"
+basename(results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Meta["datasource_path"]) == "postfix-slow-bf.log"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Meta["log_type"] == "postfix"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Meta["log_type_enh"] == "spam-attempt"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Meta["machine"] == "server"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Meta["service"] == "postfix"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Meta["source_hostname"] == "unknown"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Meta["source_ip"] == "192.0.2.1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Whitelisted == false
+results["s01-parse"]["crowdsecurity/postfix-logs"][6].Success == true
+results["s01-parse"]["crowdsecurity/postfix-logs"][6].Evt.Parsed["logsource"] == "syslog"
+results["s01-parse"]["crowdsecurity/postfix-logs"][6].Evt.Parsed["message"] == "warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure"
+results["s01-parse"]["crowdsecurity/postfix-logs"][6].Evt.Parsed["message_failure"] == " authentication failure"
+results["s01-parse"]["crowdsecurity/postfix-logs"][6].Evt.Parsed["pid"] == "40007"
+results["s01-parse"]["crowdsecurity/postfix-logs"][6].Evt.Parsed["program"] == "postfix/smtpd"
+results["s01-parse"]["crowdsecurity/postfix-logs"][6].Evt.Parsed["remote_addr"] == "192.0.2.1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][6].Evt.Parsed["remote_host"] == "unknown"
+results["s01-parse"]["crowdsecurity/postfix-logs"][6].Evt.Parsed["timestamp"] == "Jan 15 10:09:00"
+basename(results["s01-parse"]["crowdsecurity/postfix-logs"][6].Evt.Meta["datasource_path"]) == "postfix-slow-bf.log"
+results["s01-parse"]["crowdsecurity/postfix-logs"][6].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["crowdsecurity/postfix-logs"][6].Evt.Meta["log_type"] == "postfix"
+results["s01-parse"]["crowdsecurity/postfix-logs"][6].Evt.Meta["log_type_enh"] == "spam-attempt"
+results["s01-parse"]["crowdsecurity/postfix-logs"][6].Evt.Meta["machine"] == "server"
+results["s01-parse"]["crowdsecurity/postfix-logs"][6].Evt.Meta["service"] == "postfix"
+results["s01-parse"]["crowdsecurity/postfix-logs"][6].Evt.Meta["source_hostname"] == "unknown"
+results["s01-parse"]["crowdsecurity/postfix-logs"][6].Evt.Meta["source_ip"] == "192.0.2.1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][6].Evt.Whitelisted == false
+results["s01-parse"]["crowdsecurity/postfix-logs"][7].Success == true
+results["s01-parse"]["crowdsecurity/postfix-logs"][7].Evt.Parsed["logsource"] == "syslog"
+results["s01-parse"]["crowdsecurity/postfix-logs"][7].Evt.Parsed["message"] == "warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure"
+results["s01-parse"]["crowdsecurity/postfix-logs"][7].Evt.Parsed["message_failure"] == " authentication failure"
+results["s01-parse"]["crowdsecurity/postfix-logs"][7].Evt.Parsed["pid"] == "40008"
+results["s01-parse"]["crowdsecurity/postfix-logs"][7].Evt.Parsed["program"] == "postfix/smtpd"
+results["s01-parse"]["crowdsecurity/postfix-logs"][7].Evt.Parsed["remote_addr"] == "192.0.2.1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][7].Evt.Parsed["remote_host"] == "unknown"
+results["s01-parse"]["crowdsecurity/postfix-logs"][7].Evt.Parsed["timestamp"] == "Jan 15 10:10:30"
+basename(results["s01-parse"]["crowdsecurity/postfix-logs"][7].Evt.Meta["datasource_path"]) == "postfix-slow-bf.log"
+results["s01-parse"]["crowdsecurity/postfix-logs"][7].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["crowdsecurity/postfix-logs"][7].Evt.Meta["log_type"] == "postfix"
+results["s01-parse"]["crowdsecurity/postfix-logs"][7].Evt.Meta["log_type_enh"] == "spam-attempt"
+results["s01-parse"]["crowdsecurity/postfix-logs"][7].Evt.Meta["machine"] == "server"
+results["s01-parse"]["crowdsecurity/postfix-logs"][7].Evt.Meta["service"] == "postfix"
+results["s01-parse"]["crowdsecurity/postfix-logs"][7].Evt.Meta["source_hostname"] == "unknown"
+results["s01-parse"]["crowdsecurity/postfix-logs"][7].Evt.Meta["source_ip"] == "192.0.2.1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][7].Evt.Whitelisted == false
+len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 8
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["logsource"] == "syslog"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message_failure"] == " authentication failure"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["pid"] == "40001"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "postfix/smtpd"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["remote_addr"] == "192.0.2.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["remote_host"] == "unknown"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp"] == "Jan 15 10:00:00"
+basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "postfix-slow-bf.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "postfix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type_enh"] == "spam-attempt"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["machine"] == "server"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "postfix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_hostname"] == "unknown"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "192.0.2.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2026-01-15T10:00:00Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2026-01-15T10:00:00Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["logsource"] == "syslog"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message_failure"] == " authentication failure"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["pid"] == "40002"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "postfix/smtpd"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["remote_addr"] == "192.0.2.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["remote_host"] == "unknown"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp"] == "Jan 15 10:01:30"
+basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"]) == "postfix-slow-bf.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "postfix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type_enh"] == "spam-attempt"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["machine"] == "server"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "postfix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_hostname"] == "unknown"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "192.0.2.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2026-01-15T10:01:30Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2026-01-15T10:01:30Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["logsource"] == "syslog"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message_failure"] == " authentication failure"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["pid"] == "40003"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] == "postfix/smtpd"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["remote_addr"] == "192.0.2.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["remote_host"] == "unknown"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["timestamp"] == "Jan 15 10:03:00"
+basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"]) == "postfix-slow-bf.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "postfix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type_enh"] == "spam-attempt"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["machine"] == "server"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["service"] == "postfix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_hostname"] == "unknown"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "192.0.2.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2026-01-15T10:03:00Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"] == "2026-01-15T10:03:00Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Whitelisted == false
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["logsource"] == "syslog"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["message"] == "warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["message_failure"] == " authentication failure"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["pid"] == "40004"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["program"] == "postfix/smtpd"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["remote_addr"] == "192.0.2.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["remote_host"] == "unknown"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["timestamp"] == "Jan 15 10:04:30"
+basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"]) == "postfix-slow-bf.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_type"] == "postfix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_type_enh"] == "spam-attempt"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["machine"] == "server"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["service"] == "postfix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_hostname"] == "unknown"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_ip"] == "192.0.2.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["timestamp"] == "2026-01-15T10:04:30Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Enriched["MarshaledTime"] == "2026-01-15T10:04:30Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Whitelisted == false
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["logsource"] == "syslog"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["message"] == "warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["message_failure"] == " authentication failure"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["pid"] == "40005"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["program"] == "postfix/smtpd"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["remote_addr"] == "192.0.2.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["remote_host"] == "unknown"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["timestamp"] == "Jan 15 10:06:00"
+basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_path"]) == "postfix-slow-bf.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["log_type"] == "postfix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["log_type_enh"] == "spam-attempt"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["machine"] == "server"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["service"] == "postfix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_hostname"] == "unknown"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_ip"] == "192.0.2.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["timestamp"] == "2026-01-15T10:06:00Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Enriched["MarshaledTime"] == "2026-01-15T10:06:00Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Whitelisted == false
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["logsource"] == "syslog"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["message"] == "warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["message_failure"] == " authentication failure"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["pid"] == "40006"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["program"] == "postfix/smtpd"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["remote_addr"] == "192.0.2.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["remote_host"] == "unknown"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["timestamp"] == "Jan 15 10:07:30"
+basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_path"]) == "postfix-slow-bf.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["log_type"] == "postfix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["log_type_enh"] == "spam-attempt"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["machine"] == "server"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["service"] == "postfix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["source_hostname"] == "unknown"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["source_ip"] == "192.0.2.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["timestamp"] == "2026-01-15T10:07:30Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Enriched["MarshaledTime"] == "2026-01-15T10:07:30Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Whitelisted == false
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["logsource"] == "syslog"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["message"] == "warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["message_failure"] == " authentication failure"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["pid"] == "40007"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["program"] == "postfix/smtpd"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["remote_addr"] == "192.0.2.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["remote_host"] == "unknown"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["timestamp"] == "Jan 15 10:09:00"
+basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["datasource_path"]) == "postfix-slow-bf.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["log_type"] == "postfix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["log_type_enh"] == "spam-attempt"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["machine"] == "server"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["service"] == "postfix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["source_hostname"] == "unknown"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["source_ip"] == "192.0.2.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["timestamp"] == "2026-01-15T10:09:00Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Enriched["MarshaledTime"] == "2026-01-15T10:09:00Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Whitelisted == false
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["logsource"] == "syslog"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["message"] == "warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["message_failure"] == " authentication failure"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["pid"] == "40008"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["program"] == "postfix/smtpd"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["remote_addr"] == "192.0.2.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["remote_host"] == "unknown"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["timestamp"] == "Jan 15 10:10:30"
+basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["datasource_path"]) == "postfix-slow-bf.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["log_type"] == "postfix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["log_type_enh"] == "spam-attempt"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["machine"] == "server"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["service"] == "postfix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["source_hostname"] == "unknown"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["source_ip"] == "192.0.2.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["timestamp"] == "2026-01-15T10:10:30Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Enriched["MarshaledTime"] == "2026-01-15T10:10:30Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Whitelisted == false
+len(results["success"][""]) == 0
diff --git a/.tests/postfix-slow-bf/postfix-slow-bf.log b/.tests/postfix-slow-bf/postfix-slow-bf.log
new file mode 100644
index 00000000000..9e96db4c578
--- /dev/null
+++ b/.tests/postfix-slow-bf/postfix-slow-bf.log
@@ -0,0 +1,8 @@
+Jan 15 10:00:00 server postfix/smtpd[40001]: warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure
+Jan 15 10:01:30 server postfix/smtpd[40002]: warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure
+Jan 15 10:03:00 server postfix/smtpd[40003]: warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure
+Jan 15 10:04:30 server postfix/smtpd[40004]: warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure
+Jan 15 10:06:00 server postfix/smtpd[40005]: warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure
+Jan 15 10:07:30 server postfix/smtpd[40006]: warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure
+Jan 15 10:09:00 server postfix/smtpd[40007]: warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure
+Jan 15 10:10:30 server postfix/smtpd[40008]: warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure
diff --git a/.tests/postfix-slow-bf/scenario.assert b/.tests/postfix-slow-bf/scenario.assert
new file mode 100644
index 00000000000..8d89d303121
--- /dev/null
+++ b/.tests/postfix-slow-bf/scenario.assert
@@ -0,0 +1,81 @@
+len(results) == 1
+"192.0.2.1" in results[0].Overflow.GetSources()
+results[0].Overflow.Sources["192.0.2.1"].IP == "192.0.2.1"
+results[0].Overflow.Sources["192.0.2.1"].Range == ""
+results[0].Overflow.Sources["192.0.2.1"].GetScope() == "Ip"
+results[0].Overflow.Sources["192.0.2.1"].GetValue() == "192.0.2.1"
+basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "postfix-slow-bf.log"
+results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "postfix"
+results[0].Overflow.Alert.Events[0].GetMeta("log_type_enh") == "spam-attempt"
+results[0].Overflow.Alert.Events[0].GetMeta("machine") == "server"
+results[0].Overflow.Alert.Events[0].GetMeta("service") == "postfix"
+results[0].Overflow.Alert.Events[0].GetMeta("source_hostname") == "unknown"
+results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.0.2.1"
+results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2026-01-15T10:00:00Z"
+basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "postfix-slow-bf.log"
+results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "postfix"
+results[0].Overflow.Alert.Events[1].GetMeta("log_type_enh") == "spam-attempt"
+results[0].Overflow.Alert.Events[1].GetMeta("machine") == "server"
+results[0].Overflow.Alert.Events[1].GetMeta("service") == "postfix"
+results[0].Overflow.Alert.Events[1].GetMeta("source_hostname") == "unknown"
+results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "192.0.2.1"
+results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2026-01-15T10:01:30Z"
+basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "postfix-slow-bf.log"
+results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "postfix"
+results[0].Overflow.Alert.Events[2].GetMeta("log_type_enh") == "spam-attempt"
+results[0].Overflow.Alert.Events[2].GetMeta("machine") == "server"
+results[0].Overflow.Alert.Events[2].GetMeta("service") == "postfix"
+results[0].Overflow.Alert.Events[2].GetMeta("source_hostname") == "unknown"
+results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "192.0.2.1"
+results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2026-01-15T10:03:00Z"
+basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "postfix-slow-bf.log"
+results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "postfix"
+results[0].Overflow.Alert.Events[3].GetMeta("log_type_enh") == "spam-attempt"
+results[0].Overflow.Alert.Events[3].GetMeta("machine") == "server"
+results[0].Overflow.Alert.Events[3].GetMeta("service") == "postfix"
+results[0].Overflow.Alert.Events[3].GetMeta("source_hostname") == "unknown"
+results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "192.0.2.1"
+results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2026-01-15T10:04:30Z"
+basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "postfix-slow-bf.log"
+results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "postfix"
+results[0].Overflow.Alert.Events[4].GetMeta("log_type_enh") == "spam-attempt"
+results[0].Overflow.Alert.Events[4].GetMeta("machine") == "server"
+results[0].Overflow.Alert.Events[4].GetMeta("service") == "postfix"
+results[0].Overflow.Alert.Events[4].GetMeta("source_hostname") == "unknown"
+results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "192.0.2.1"
+results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2026-01-15T10:06:00Z"
+basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "postfix-slow-bf.log"
+results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "postfix"
+results[0].Overflow.Alert.Events[5].GetMeta("log_type_enh") == "spam-attempt"
+results[0].Overflow.Alert.Events[5].GetMeta("machine") == "server"
+results[0].Overflow.Alert.Events[5].GetMeta("service") == "postfix"
+results[0].Overflow.Alert.Events[5].GetMeta("source_hostname") == "unknown"
+results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "192.0.2.1"
+results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2026-01-15T10:07:30Z"
+basename(results[0].Overflow.Alert.Events[6].GetMeta("datasource_path")) == "postfix-slow-bf.log"
+results[0].Overflow.Alert.Events[6].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[6].GetMeta("log_type") == "postfix"
+results[0].Overflow.Alert.Events[6].GetMeta("log_type_enh") == "spam-attempt"
+results[0].Overflow.Alert.Events[6].GetMeta("machine") == "server"
+results[0].Overflow.Alert.Events[6].GetMeta("service") == "postfix"
+results[0].Overflow.Alert.Events[6].GetMeta("source_hostname") == "unknown"
+results[0].Overflow.Alert.Events[6].GetMeta("source_ip") == "192.0.2.1"
+results[0].Overflow.Alert.Events[6].GetMeta("timestamp") == "2026-01-15T10:09:00Z"
+basename(results[0].Overflow.Alert.Events[7].GetMeta("datasource_path")) == "postfix-slow-bf.log"
+results[0].Overflow.Alert.Events[7].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[7].GetMeta("log_type") == "postfix"
+results[0].Overflow.Alert.Events[7].GetMeta("log_type_enh") == "spam-attempt"
+results[0].Overflow.Alert.Events[7].GetMeta("machine") == "server"
+results[0].Overflow.Alert.Events[7].GetMeta("service") == "postfix"
+results[0].Overflow.Alert.Events[7].GetMeta("source_hostname") == "unknown"
+results[0].Overflow.Alert.Events[7].GetMeta("source_ip") == "192.0.2.1"
+results[0].Overflow.Alert.Events[7].GetMeta("timestamp") == "2026-01-15T10:10:30Z"
+results[0].Overflow.Alert.GetScenario() == "melite/postfix-slow-bf"
+results[0].Overflow.Alert.Remediation == true
+results[0].Overflow.Alert.GetEventsCount() == 8
diff --git a/.tests/postfix-submission-auth/config.yaml b/.tests/postfix-submission-auth/config.yaml
new file mode 100644
index 00000000000..76cb9ba1fcb
--- /dev/null
+++ b/.tests/postfix-submission-auth/config.yaml
@@ -0,0 +1,8 @@
+parsers:
+  - crowdsecurity/syslog-logs
+  - ./parsers/s01-parse/crowdsecurity/postfix-logs.yaml
+  - crowdsecurity/dateparse-enrich
+scenarios:
+  - ""
+log_file: postfix-submission-auth.log
+log_type: syslog
diff --git a/.tests/postfix-submission-auth/parser.assert b/.tests/postfix-submission-auth/parser.assert
new file mode 100644
index 00000000000..74e71e2de98
--- /dev/null
+++ b/.tests/postfix-submission-auth/parser.assert
@@ -0,0 +1,149 @@
+len(results) == 4
+len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 3
+results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == true
+results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["logsource"] == "syslog"
+results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["message"] == "disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3"
+results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["pid"] == "50001"
+results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["program"] == "postfix/submission/smtpd"
+results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["timestamp"] == "Jan 15 10:30:45"
+basename(results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_path"]) == "postfix-submission-auth.log"
+results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["machine"] == "server"
+results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Whitelisted == false
+results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == true
+results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["logsource"] == "syslog"
+results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["message"] == "disconnect from attacker.example[198.51.100.1] ehlo=2 starttls=1 auth=0/3 quit=1 commands=4/7"
+results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["pid"] == "50002"
+results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["program"] == "postfix/submission/smtpd"
+results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["timestamp"] == "Jan 15 10:31:00"
+basename(results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_path"]) == "postfix-submission-auth.log"
+results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["machine"] == "server"
+results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Whitelisted == false
+results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == true
+results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["logsource"] == "syslog"
+results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["message"] == "disconnect from scanner.example[203.0.113.50] ehlo=1 auth=0/2 quit=1 commands=2/4"
+results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["pid"] == "50003"
+results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["program"] == "postfix/submission/smtpd"
+results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["timestamp"] == "Jan 15 10:32:00"
+basename(results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_path"]) == "postfix-submission-auth.log"
+results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["machine"] == "server"
+results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Whitelisted == false
+len(results["s01-parse"]["crowdsecurity/postfix-logs"]) == 3
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Success == true
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["auth_attempts"] == "1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["logsource"] == "syslog"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["message"] == "disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["pid"] == "50001"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["program"] == "postfix/submission/smtpd"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["remote_addr"] == "192.0.2.1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["remote_host"] == "unknown"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["timestamp"] == "Jan 15 10:30:45"
+basename(results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["datasource_path"]) == "postfix-submission-auth.log"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["log_type"] == "postfix"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["log_type_enh"] == "submission-auth-failed"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["machine"] == "server"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["service"] == "postfix"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["source_hostname"] == "unknown"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["source_ip"] == "192.0.2.1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Whitelisted == false
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Success == true
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["auth_attempts"] == "3"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["logsource"] == "syslog"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["message"] == "disconnect from attacker.example[198.51.100.1] ehlo=2 starttls=1 auth=0/3 quit=1 commands=4/7"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["pid"] == "50002"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["program"] == "postfix/submission/smtpd"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["remote_addr"] == "198.51.100.1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["remote_host"] == "attacker.example"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["timestamp"] == "Jan 15 10:31:00"
+basename(results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["datasource_path"]) == "postfix-submission-auth.log"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["log_type"] == "postfix"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["log_type_enh"] == "submission-auth-failed"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["machine"] == "server"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["service"] == "postfix"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["source_hostname"] == "attacker.example"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["source_ip"] == "198.51.100.1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Whitelisted == false
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Success == true
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["auth_attempts"] == "2"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["logsource"] == "syslog"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["message"] == "disconnect from scanner.example[203.0.113.50] ehlo=1 auth=0/2 quit=1 commands=2/4"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["pid"] == "50003"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["program"] == "postfix/submission/smtpd"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["remote_addr"] == "203.0.113.50"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["remote_host"] == "scanner.example"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["timestamp"] == "Jan 15 10:32:00"
+basename(results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["datasource_path"]) == "postfix-submission-auth.log"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["log_type"] == "postfix"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["log_type_enh"] == "submission-auth-failed"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["machine"] == "server"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["service"] == "postfix"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["source_hostname"] == "scanner.example"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["source_ip"] == "203.0.113.50"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Whitelisted == false
+len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 3
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["auth_attempts"] == "1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["logsource"] == "syslog"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["pid"] == "50001"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "postfix/submission/smtpd"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["remote_addr"] == "192.0.2.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["remote_host"] == "unknown"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp"] == "Jan 15 10:30:45"
+basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "postfix-submission-auth.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "postfix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type_enh"] == "submission-auth-failed"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["machine"] == "server"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "postfix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_hostname"] == "unknown"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "192.0.2.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2026-01-15T10:30:45Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2026-01-15T10:30:45Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["auth_attempts"] == "3"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["logsource"] == "syslog"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "disconnect from attacker.example[198.51.100.1] ehlo=2 starttls=1 auth=0/3 quit=1 commands=4/7"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["pid"] == "50002"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "postfix/submission/smtpd"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["remote_addr"] == "198.51.100.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["remote_host"] == "attacker.example"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp"] == "Jan 15 10:31:00"
+basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"]) == "postfix-submission-auth.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "postfix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type_enh"] == "submission-auth-failed"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["machine"] == "server"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "postfix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_hostname"] == "attacker.example"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "198.51.100.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2026-01-15T10:31:00Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2026-01-15T10:31:00Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["auth_attempts"] == "2"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["logsource"] == "syslog"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "disconnect from scanner.example[203.0.113.50] ehlo=1 auth=0/2 quit=1 commands=2/4"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["pid"] == "50003"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] == "postfix/submission/smtpd"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["remote_addr"] == "203.0.113.50"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["remote_host"] == "scanner.example"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["timestamp"] == "Jan 15 10:32:00"
+basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"]) == "postfix-submission-auth.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "postfix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type_enh"] == "submission-auth-failed"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["machine"] == "server"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["service"] == "postfix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_hostname"] == "scanner.example"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "203.0.113.50"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2026-01-15T10:32:00Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"] == "2026-01-15T10:32:00Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Whitelisted == false
+len(results["success"][""]) == 0
diff --git a/.tests/postfix-submission-auth/postfix-submission-auth.log b/.tests/postfix-submission-auth/postfix-submission-auth.log
new file mode 100644
index 00000000000..a07c849455f
--- /dev/null
+++ b/.tests/postfix-submission-auth/postfix-submission-auth.log
@@ -0,0 +1,3 @@
+Jan 15 10:30:45 server postfix/submission/smtpd[50001]: disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3
+Jan 15 10:31:00 server postfix/submission/smtpd[50002]: disconnect from attacker.example[198.51.100.1] ehlo=2 starttls=1 auth=0/3 quit=1 commands=4/7
+Jan 15 10:32:00 server postfix/submission/smtpd[50003]: disconnect from scanner.example[203.0.113.50] ehlo=1 auth=0/2 quit=1 commands=2/4
diff --git a/.tests/postfix-submission-very-slow-bf/config.yaml b/.tests/postfix-submission-very-slow-bf/config.yaml
new file mode 100644
index 00000000000..8e941ba808c
--- /dev/null
+++ b/.tests/postfix-submission-very-slow-bf/config.yaml
@@ -0,0 +1,8 @@
+parsers:
+  - crowdsecurity/syslog-logs
+  - ./parsers/s01-parse/crowdsecurity/postfix-logs.yaml
+  - crowdsecurity/dateparse-enrich
+scenarios:
+  - scenarios/melite/postfix-submission-very-slow-bf.yaml
+log_file: postfix-submission-very-slow-bf.log
+log_type: syslog
diff --git a/.tests/postfix-submission-very-slow-bf/parser.assert b/.tests/postfix-submission-very-slow-bf/parser.assert
new file mode 100644
index 00000000000..21aa8701ecb
--- /dev/null
+++ b/.tests/postfix-submission-very-slow-bf/parser.assert
@@ -0,0 +1,293 @@
+len(results) == 4
+len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 6
+results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == true
+results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["logsource"] == "syslog"
+results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["message"] == "disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3"
+results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["pid"] == "42001"
+results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["program"] == "postfix/submission/smtpd"
+results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["timestamp"] == "Jan 15 10:00:00"
+basename(results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_path"]) == "postfix-submission-very-slow-bf.log"
+results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["machine"] == "server"
+results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Whitelisted == false
+results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == true
+results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["logsource"] == "syslog"
+results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["message"] == "disconnect from unknown[192.0.2.1] ehlo=1 auth=0/2 quit=1 commands=2/4"
+results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["pid"] == "42002"
+results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["program"] == "postfix/submission/smtpd"
+results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["timestamp"] == "Jan 15 10:40:00"
+basename(results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_path"]) == "postfix-submission-very-slow-bf.log"
+results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["machine"] == "server"
+results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Whitelisted == false
+results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == true
+results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["logsource"] == "syslog"
+results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["message"] == "disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3"
+results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["pid"] == "42003"
+results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["program"] == "postfix/submission/smtpd"
+results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["timestamp"] == "Jan 15 11:20:00"
+basename(results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_path"]) == "postfix-submission-very-slow-bf.log"
+results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["machine"] == "server"
+results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Whitelisted == false
+results["s00-raw"]["crowdsecurity/syslog-logs"][3].Success == true
+results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["logsource"] == "syslog"
+results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["message"] == "disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3"
+results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["pid"] == "42004"
+results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["program"] == "postfix/submission/smtpd"
+results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["timestamp"] == "Jan 15 12:00:00"
+basename(results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["datasource_path"]) == "postfix-submission-very-slow-bf.log"
+results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["machine"] == "server"
+results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Whitelisted == false
+results["s00-raw"]["crowdsecurity/syslog-logs"][4].Success == true
+results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["logsource"] == "syslog"
+results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["message"] == "disconnect from unknown[192.0.2.1] ehlo=1 auth=0/3 quit=1 commands=2/5"
+results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["pid"] == "42005"
+results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["program"] == "postfix/submission/smtpd"
+results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["timestamp"] == "Jan 15 12:40:00"
+basename(results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["datasource_path"]) == "postfix-submission-very-slow-bf.log"
+results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["machine"] == "server"
+results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Whitelisted == false
+results["s00-raw"]["crowdsecurity/syslog-logs"][5].Success == true
+results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["logsource"] == "syslog"
+results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["message"] == "disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3"
+results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["pid"] == "42006"
+results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["program"] == "postfix/submission/smtpd"
+results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["timestamp"] == "Jan 15 13:20:00"
+basename(results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["datasource_path"]) == "postfix-submission-very-slow-bf.log"
+results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["machine"] == "server"
+results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Whitelisted == false
+len(results["s01-parse"]["crowdsecurity/postfix-logs"]) == 6
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Success == true
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["auth_attempts"] == "1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["logsource"] == "syslog"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["message"] == "disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["pid"] == "42001"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["program"] == "postfix/submission/smtpd"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["remote_addr"] == "192.0.2.1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["remote_host"] == "unknown"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["timestamp"] == "Jan 15 10:00:00"
+basename(results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["datasource_path"]) == "postfix-submission-very-slow-bf.log"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["log_type"] == "postfix"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["log_type_enh"] == "submission-auth-failed"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["machine"] == "server"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["service"] == "postfix"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["source_hostname"] == "unknown"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["source_ip"] == "192.0.2.1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Whitelisted == false
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Success == true
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["auth_attempts"] == "2"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["logsource"] == "syslog"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["message"] == "disconnect from unknown[192.0.2.1] ehlo=1 auth=0/2 quit=1 commands=2/4"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["pid"] == "42002"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["program"] == "postfix/submission/smtpd"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["remote_addr"] == "192.0.2.1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["remote_host"] == "unknown"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["timestamp"] == "Jan 15 10:40:00"
+basename(results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["datasource_path"]) == "postfix-submission-very-slow-bf.log"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["log_type"] == "postfix"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["log_type_enh"] == "submission-auth-failed"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["machine"] == "server"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["service"] == "postfix"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["source_hostname"] == "unknown"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["source_ip"] == "192.0.2.1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Whitelisted == false
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Success == true
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["auth_attempts"] == "1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["logsource"] == "syslog"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["message"] == "disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["pid"] == "42003"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["program"] == "postfix/submission/smtpd"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["remote_addr"] == "192.0.2.1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["remote_host"] == "unknown"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["timestamp"] == "Jan 15 11:20:00"
+basename(results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["datasource_path"]) == "postfix-submission-very-slow-bf.log"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["log_type"] == "postfix"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["log_type_enh"] == "submission-auth-failed"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["machine"] == "server"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["service"] == "postfix"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["source_hostname"] == "unknown"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["source_ip"] == "192.0.2.1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Whitelisted == false
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Success == true
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["auth_attempts"] == "1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["logsource"] == "syslog"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["message"] == "disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["pid"] == "42004"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["program"] == "postfix/submission/smtpd"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["remote_addr"] == "192.0.2.1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["remote_host"] == "unknown"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["timestamp"] == "Jan 15 12:00:00"
+basename(results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["datasource_path"]) == "postfix-submission-very-slow-bf.log"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["log_type"] == "postfix"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["log_type_enh"] == "submission-auth-failed"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["machine"] == "server"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["service"] == "postfix"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["source_hostname"] == "unknown"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["source_ip"] == "192.0.2.1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Whitelisted == false
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Success == true
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["auth_attempts"] == "3"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["logsource"] == "syslog"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["message"] == "disconnect from unknown[192.0.2.1] ehlo=1 auth=0/3 quit=1 commands=2/5"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["pid"] == "42005"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["program"] == "postfix/submission/smtpd"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["remote_addr"] == "192.0.2.1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["remote_host"] == "unknown"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["timestamp"] == "Jan 15 12:40:00"
+basename(results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["datasource_path"]) == "postfix-submission-very-slow-bf.log"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["log_type"] == "postfix"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["log_type_enh"] == "submission-auth-failed"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["machine"] == "server"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["service"] == "postfix"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["source_hostname"] == "unknown"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["source_ip"] == "192.0.2.1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Whitelisted == false
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Success == true
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["auth_attempts"] == "1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["logsource"] == "syslog"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["message"] == "disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["pid"] == "42006"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["program"] == "postfix/submission/smtpd"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["remote_addr"] == "192.0.2.1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["remote_host"] == "unknown"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["timestamp"] == "Jan 15 13:20:00"
+basename(results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Meta["datasource_path"]) == "postfix-submission-very-slow-bf.log"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Meta["log_type"] == "postfix"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Meta["log_type_enh"] == "submission-auth-failed"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Meta["machine"] == "server"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Meta["service"] == "postfix"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Meta["source_hostname"] == "unknown"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Meta["source_ip"] == "192.0.2.1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Whitelisted == false
+len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 6
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["auth_attempts"] == "1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["logsource"] == "syslog"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["pid"] == "42001"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "postfix/submission/smtpd"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["remote_addr"] == "192.0.2.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["remote_host"] == "unknown"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp"] == "Jan 15 10:00:00"
+basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "postfix-submission-very-slow-bf.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "postfix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type_enh"] == "submission-auth-failed"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["machine"] == "server"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "postfix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_hostname"] == "unknown"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "192.0.2.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2026-01-15T10:00:00Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2026-01-15T10:00:00Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["auth_attempts"] == "2"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["logsource"] == "syslog"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "disconnect from unknown[192.0.2.1] ehlo=1 auth=0/2 quit=1 commands=2/4"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["pid"] == "42002"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "postfix/submission/smtpd"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["remote_addr"] == "192.0.2.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["remote_host"] == "unknown"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp"] == "Jan 15 10:40:00"
+basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"]) == "postfix-submission-very-slow-bf.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "postfix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type_enh"] == "submission-auth-failed"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["machine"] == "server"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "postfix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_hostname"] == "unknown"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "192.0.2.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2026-01-15T10:40:00Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2026-01-15T10:40:00Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["auth_attempts"] == "1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["logsource"] == "syslog"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["pid"] == "42003"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] == "postfix/submission/smtpd"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["remote_addr"] == "192.0.2.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["remote_host"] == "unknown"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["timestamp"] == "Jan 15 11:20:00"
+basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"]) == "postfix-submission-very-slow-bf.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "postfix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type_enh"] == "submission-auth-failed"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["machine"] == "server"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["service"] == "postfix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_hostname"] == "unknown"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "192.0.2.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2026-01-15T11:20:00Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"] == "2026-01-15T11:20:00Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Whitelisted == false
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["auth_attempts"] == "1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["logsource"] == "syslog"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["message"] == "disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["pid"] == "42004"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["program"] == "postfix/submission/smtpd"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["remote_addr"] == "192.0.2.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["remote_host"] == "unknown"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["timestamp"] == "Jan 15 12:00:00"
+basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"]) == "postfix-submission-very-slow-bf.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_type"] == "postfix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_type_enh"] == "submission-auth-failed"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["machine"] == "server"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["service"] == "postfix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_hostname"] == "unknown"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_ip"] == "192.0.2.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["timestamp"] == "2026-01-15T12:00:00Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Enriched["MarshaledTime"] == "2026-01-15T12:00:00Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Whitelisted == false
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["auth_attempts"] == "3"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["logsource"] == "syslog"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["message"] == "disconnect from unknown[192.0.2.1] ehlo=1 auth=0/3 quit=1 commands=2/5"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["pid"] == "42005"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["program"] == "postfix/submission/smtpd"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["remote_addr"] == "192.0.2.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["remote_host"] == "unknown"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["timestamp"] == "Jan 15 12:40:00"
+basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_path"]) == "postfix-submission-very-slow-bf.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["log_type"] == "postfix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["log_type_enh"] == "submission-auth-failed"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["machine"] == "server"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["service"] == "postfix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_hostname"] == "unknown"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_ip"] == "192.0.2.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["timestamp"] == "2026-01-15T12:40:00Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Enriched["MarshaledTime"] == "2026-01-15T12:40:00Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Whitelisted == false
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["auth_attempts"] == "1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["logsource"] == "syslog"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["message"] == "disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["pid"] == "42006"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["program"] == "postfix/submission/smtpd"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["remote_addr"] == "192.0.2.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["remote_host"] == "unknown"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["timestamp"] == "Jan 15 13:20:00"
+basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_path"]) == "postfix-submission-very-slow-bf.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["log_type"] == "postfix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["log_type_enh"] == "submission-auth-failed"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["machine"] == "server"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["service"] == "postfix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["source_hostname"] == "unknown"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["source_ip"] == "192.0.2.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["timestamp"] == "2026-01-15T13:20:00Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Enriched["MarshaledTime"] == "2026-01-15T13:20:00Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Whitelisted == false
+len(results["success"][""]) == 0
diff --git a/.tests/postfix-submission-very-slow-bf/postfix-submission-very-slow-bf.log b/.tests/postfix-submission-very-slow-bf/postfix-submission-very-slow-bf.log
new file mode 100644
index 00000000000..a7c5c7a14ee
--- /dev/null
+++ b/.tests/postfix-submission-very-slow-bf/postfix-submission-very-slow-bf.log
@@ -0,0 +1,6 @@
+Jan 15 10:00:00 server postfix/submission/smtpd[42001]: disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3
+Jan 15 10:40:00 server postfix/submission/smtpd[42002]: disconnect from unknown[192.0.2.1] ehlo=1 auth=0/2 quit=1 commands=2/4
+Jan 15 11:20:00 server postfix/submission/smtpd[42003]: disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3
+Jan 15 12:00:00 server postfix/submission/smtpd[42004]: disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3
+Jan 15 12:40:00 server postfix/submission/smtpd[42005]: disconnect from unknown[192.0.2.1] ehlo=1 auth=0/3 quit=1 commands=2/5
+Jan 15 13:20:00 server postfix/submission/smtpd[42006]: disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3
diff --git a/.tests/postfix-submission-very-slow-bf/scenario.assert b/.tests/postfix-submission-very-slow-bf/scenario.assert
new file mode 100644
index 00000000000..6ef9c6f9d31
--- /dev/null
+++ b/.tests/postfix-submission-very-slow-bf/scenario.assert
@@ -0,0 +1,51 @@
+len(results) == 1
+"192.0.2.1" in results[0].Overflow.GetSources()
+results[0].Overflow.Sources["192.0.2.1"].IP == "192.0.2.1"
+results[0].Overflow.Sources["192.0.2.1"].Range == ""
+results[0].Overflow.Sources["192.0.2.1"].GetScope() == "Ip"
+results[0].Overflow.Sources["192.0.2.1"].GetValue() == "192.0.2.1"
+basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "postfix-submission-very-slow-bf.log"
+results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "postfix"
+results[0].Overflow.Alert.Events[0].GetMeta("log_type_enh") == "submission-auth-failed"
+results[0].Overflow.Alert.Events[0].GetMeta("machine") == "server"
+results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.0.2.1"
+results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2026-01-15T10:00:00Z"
+basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "postfix-submission-very-slow-bf.log"
+results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "postfix"
+results[0].Overflow.Alert.Events[1].GetMeta("log_type_enh") == "submission-auth-failed"
+results[0].Overflow.Alert.Events[1].GetMeta("machine") == "server"
+results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "192.0.2.1"
+results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2026-01-15T10:40:00Z"
+basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "postfix-submission-very-slow-bf.log"
+results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "postfix"
+results[0].Overflow.Alert.Events[2].GetMeta("log_type_enh") == "submission-auth-failed"
+results[0].Overflow.Alert.Events[2].GetMeta("machine") == "server"
+results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "192.0.2.1"
+results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2026-01-15T11:20:00Z"
+basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "postfix-submission-very-slow-bf.log"
+results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "postfix"
+results[0].Overflow.Alert.Events[3].GetMeta("log_type_enh") == "submission-auth-failed"
+results[0].Overflow.Alert.Events[3].GetMeta("machine") == "server"
+results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "192.0.2.1"
+results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2026-01-15T12:00:00Z"
+basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "postfix-submission-very-slow-bf.log"
+results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "postfix"
+results[0].Overflow.Alert.Events[4].GetMeta("log_type_enh") == "submission-auth-failed"
+results[0].Overflow.Alert.Events[4].GetMeta("machine") == "server"
+results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "192.0.2.1"
+results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2026-01-15T12:40:00Z"
+basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "postfix-submission-very-slow-bf.log"
+results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "postfix"
+results[0].Overflow.Alert.Events[5].GetMeta("log_type_enh") == "submission-auth-failed"
+results[0].Overflow.Alert.Events[5].GetMeta("machine") == "server"
+results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "192.0.2.1"
+results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2026-01-15T13:20:00Z"
+results[0].Overflow.Alert.GetScenario() == "melite/postfix-submission-very-slow-bf"
+results[0].Overflow.Alert.Remediation == true
+results[0].Overflow.Alert.GetEventsCount() == 6
diff --git a/.tests/postfix-very-slow-bf/config.yaml b/.tests/postfix-very-slow-bf/config.yaml
new file mode 100644
index 00000000000..f79896fe355
--- /dev/null
+++ b/.tests/postfix-very-slow-bf/config.yaml
@@ -0,0 +1,8 @@
+parsers:
+  - crowdsecurity/syslog-logs
+  - crowdsecurity/postfix-logs
+  - crowdsecurity/dateparse-enrich
+scenarios:
+  - scenarios/melite/postfix-very-slow-bf.yaml
+log_file: postfix-very-slow-bf.log
+log_type: syslog
diff --git a/.tests/postfix-very-slow-bf/parser.assert b/.tests/postfix-very-slow-bf/parser.assert
new file mode 100644
index 00000000000..09ea2252e24
--- /dev/null
+++ b/.tests/postfix-very-slow-bf/parser.assert
@@ -0,0 +1,293 @@
+len(results) == 4
+len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 6
+results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == true
+results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["logsource"] == "syslog"
+results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["message"] == "warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure"
+results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["pid"] == "41001"
+results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["program"] == "postfix/smtpd"
+results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["timestamp"] == "Jan 15 08:00:00"
+basename(results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_path"]) == "postfix-very-slow-bf.log"
+results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["machine"] == "server"
+results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Whitelisted == false
+results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == true
+results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["logsource"] == "syslog"
+results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["message"] == "warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure"
+results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["pid"] == "41002"
+results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["program"] == "postfix/smtpd"
+results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["timestamp"] == "Jan 15 08:40:00"
+basename(results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_path"]) == "postfix-very-slow-bf.log"
+results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["machine"] == "server"
+results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Whitelisted == false
+results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == true
+results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["logsource"] == "syslog"
+results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["message"] == "warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure"
+results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["pid"] == "41003"
+results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["program"] == "postfix/smtpd"
+results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["timestamp"] == "Jan 15 09:20:00"
+basename(results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_path"]) == "postfix-very-slow-bf.log"
+results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["machine"] == "server"
+results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Whitelisted == false
+results["s00-raw"]["crowdsecurity/syslog-logs"][3].Success == true
+results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["logsource"] == "syslog"
+results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["message"] == "warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure"
+results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["pid"] == "41004"
+results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["program"] == "postfix/smtpd"
+results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["timestamp"] == "Jan 15 10:00:00"
+basename(results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["datasource_path"]) == "postfix-very-slow-bf.log"
+results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["machine"] == "server"
+results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Whitelisted == false
+results["s00-raw"]["crowdsecurity/syslog-logs"][4].Success == true
+results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["logsource"] == "syslog"
+results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["message"] == "warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure"
+results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["pid"] == "41005"
+results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["program"] == "postfix/smtpd"
+results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["timestamp"] == "Jan 15 10:40:00"
+basename(results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["datasource_path"]) == "postfix-very-slow-bf.log"
+results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["machine"] == "server"
+results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Whitelisted == false
+results["s00-raw"]["crowdsecurity/syslog-logs"][5].Success == true
+results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["logsource"] == "syslog"
+results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["message"] == "warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure"
+results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["pid"] == "41006"
+results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["program"] == "postfix/smtpd"
+results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["timestamp"] == "Jan 15 11:20:00"
+basename(results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["datasource_path"]) == "postfix-very-slow-bf.log"
+results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["machine"] == "server"
+results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Whitelisted == false
+len(results["s01-parse"]["crowdsecurity/postfix-logs"]) == 6
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Success == true
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["logsource"] == "syslog"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["message"] == "warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["message_failure"] == " authentication failure"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["pid"] == "41001"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["program"] == "postfix/smtpd"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["remote_addr"] == "198.51.100.1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["remote_host"] == "unknown"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["timestamp"] == "Jan 15 08:00:00"
+basename(results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["datasource_path"]) == "postfix-very-slow-bf.log"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["log_type"] == "postfix"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["log_type_enh"] == "spam-attempt"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["machine"] == "server"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["service"] == "postfix"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["source_hostname"] == "unknown"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["source_ip"] == "198.51.100.1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Whitelisted == false
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Success == true
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["logsource"] == "syslog"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["message"] == "warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["message_failure"] == " authentication failure"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["pid"] == "41002"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["program"] == "postfix/smtpd"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["remote_addr"] == "198.51.100.1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["remote_host"] == "unknown"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["timestamp"] == "Jan 15 08:40:00"
+basename(results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["datasource_path"]) == "postfix-very-slow-bf.log"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["log_type"] == "postfix"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["log_type_enh"] == "spam-attempt"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["machine"] == "server"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["service"] == "postfix"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["source_hostname"] == "unknown"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["source_ip"] == "198.51.100.1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Whitelisted == false
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Success == true
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["logsource"] == "syslog"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["message"] == "warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["message_failure"] == " authentication failure"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["pid"] == "41003"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["program"] == "postfix/smtpd"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["remote_addr"] == "198.51.100.1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["remote_host"] == "unknown"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["timestamp"] == "Jan 15 09:20:00"
+basename(results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["datasource_path"]) == "postfix-very-slow-bf.log"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["log_type"] == "postfix"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["log_type_enh"] == "spam-attempt"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["machine"] == "server"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["service"] == "postfix"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["source_hostname"] == "unknown"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["source_ip"] == "198.51.100.1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Whitelisted == false
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Success == true
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["logsource"] == "syslog"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["message"] == "warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["message_failure"] == " authentication failure"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["pid"] == "41004"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["program"] == "postfix/smtpd"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["remote_addr"] == "198.51.100.1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["remote_host"] == "unknown"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["timestamp"] == "Jan 15 10:00:00"
+basename(results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["datasource_path"]) == "postfix-very-slow-bf.log"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["log_type"] == "postfix"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["log_type_enh"] == "spam-attempt"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["machine"] == "server"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["service"] == "postfix"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["source_hostname"] == "unknown"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["source_ip"] == "198.51.100.1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Whitelisted == false
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Success == true
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["logsource"] == "syslog"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["message"] == "warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["message_failure"] == " authentication failure"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["pid"] == "41005"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["program"] == "postfix/smtpd"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["remote_addr"] == "198.51.100.1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["remote_host"] == "unknown"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["timestamp"] == "Jan 15 10:40:00"
+basename(results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["datasource_path"]) == "postfix-very-slow-bf.log"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["log_type"] == "postfix"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["log_type_enh"] == "spam-attempt"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["machine"] == "server"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["service"] == "postfix"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["source_hostname"] == "unknown"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["source_ip"] == "198.51.100.1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Whitelisted == false
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Success == true
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["logsource"] == "syslog"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["message"] == "warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["message_failure"] == " authentication failure"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["pid"] == "41006"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["program"] == "postfix/smtpd"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["remote_addr"] == "198.51.100.1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["remote_host"] == "unknown"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["timestamp"] == "Jan 15 11:20:00"
+basename(results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Meta["datasource_path"]) == "postfix-very-slow-bf.log"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Meta["log_type"] == "postfix"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Meta["log_type_enh"] == "spam-attempt"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Meta["machine"] == "server"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Meta["service"] == "postfix"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Meta["source_hostname"] == "unknown"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Meta["source_ip"] == "198.51.100.1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Whitelisted == false
+len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 6
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["logsource"] == "syslog"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message_failure"] == " authentication failure"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["pid"] == "41001"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "postfix/smtpd"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["remote_addr"] == "198.51.100.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["remote_host"] == "unknown"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp"] == "Jan 15 08:00:00"
+basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "postfix-very-slow-bf.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "postfix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type_enh"] == "spam-attempt"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["machine"] == "server"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "postfix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_hostname"] == "unknown"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "198.51.100.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2026-01-15T08:00:00Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2026-01-15T08:00:00Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["logsource"] == "syslog"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message_failure"] == " authentication failure"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["pid"] == "41002"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "postfix/smtpd"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["remote_addr"] == "198.51.100.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["remote_host"] == "unknown"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp"] == "Jan 15 08:40:00"
+basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"]) == "postfix-very-slow-bf.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "postfix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type_enh"] == "spam-attempt"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["machine"] == "server"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "postfix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_hostname"] == "unknown"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "198.51.100.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2026-01-15T08:40:00Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2026-01-15T08:40:00Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["logsource"] == "syslog"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message_failure"] == " authentication failure"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["pid"] == "41003"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] == "postfix/smtpd"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["remote_addr"] == "198.51.100.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["remote_host"] == "unknown"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["timestamp"] == "Jan 15 09:20:00"
+basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"]) == "postfix-very-slow-bf.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "postfix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type_enh"] == "spam-attempt"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["machine"] == "server"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["service"] == "postfix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_hostname"] == "unknown"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "198.51.100.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2026-01-15T09:20:00Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"] == "2026-01-15T09:20:00Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Whitelisted == false
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["logsource"] == "syslog"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["message"] == "warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["message_failure"] == " authentication failure"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["pid"] == "41004"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["program"] == "postfix/smtpd"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["remote_addr"] == "198.51.100.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["remote_host"] == "unknown"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["timestamp"] == "Jan 15 10:00:00"
+basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"]) == "postfix-very-slow-bf.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_type"] == "postfix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_type_enh"] == "spam-attempt"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["machine"] == "server"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["service"] == "postfix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_hostname"] == "unknown"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_ip"] == "198.51.100.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["timestamp"] == "2026-01-15T10:00:00Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Enriched["MarshaledTime"] == "2026-01-15T10:00:00Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Whitelisted == false
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["logsource"] == "syslog"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["message"] == "warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["message_failure"] == " authentication failure"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["pid"] == "41005"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["program"] == "postfix/smtpd"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["remote_addr"] == "198.51.100.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["remote_host"] == "unknown"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["timestamp"] == "Jan 15 10:40:00"
+basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_path"]) == "postfix-very-slow-bf.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["log_type"] == "postfix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["log_type_enh"] == "spam-attempt"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["machine"] == "server"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["service"] == "postfix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_hostname"] == "unknown"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_ip"] == "198.51.100.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["timestamp"] == "2026-01-15T10:40:00Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Enriched["MarshaledTime"] == "2026-01-15T10:40:00Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Whitelisted == false
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["logsource"] == "syslog"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["message"] == "warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["message_failure"] == " authentication failure"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["pid"] == "41006"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["program"] == "postfix/smtpd"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["remote_addr"] == "198.51.100.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["remote_host"] == "unknown"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["timestamp"] == "Jan 15 11:20:00"
+basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_path"]) == "postfix-very-slow-bf.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["log_type"] == "postfix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["log_type_enh"] == "spam-attempt"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["machine"] == "server"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["service"] == "postfix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["source_hostname"] == "unknown"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["source_ip"] == "198.51.100.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["timestamp"] == "2026-01-15T11:20:00Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Enriched["MarshaledTime"] == "2026-01-15T11:20:00Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Whitelisted == false
+len(results["success"][""]) == 0
diff --git a/.tests/postfix-very-slow-bf/postfix-very-slow-bf.log b/.tests/postfix-very-slow-bf/postfix-very-slow-bf.log
new file mode 100644
index 00000000000..5ed1510ce66
--- /dev/null
+++ b/.tests/postfix-very-slow-bf/postfix-very-slow-bf.log
@@ -0,0 +1,6 @@
+Jan 15 08:00:00 server postfix/smtpd[41001]: warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure
+Jan 15 08:40:00 server postfix/smtpd[41002]: warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure
+Jan 15 09:20:00 server postfix/smtpd[41003]: warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure
+Jan 15 10:00:00 server postfix/smtpd[41004]: warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure
+Jan 15 10:40:00 server postfix/smtpd[41005]: warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure
+Jan 15 11:20:00 server postfix/smtpd[41006]: warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure
diff --git a/.tests/postfix-very-slow-bf/scenario.assert b/.tests/postfix-very-slow-bf/scenario.assert
new file mode 100644
index 00000000000..84e0684a5d7
--- /dev/null
+++ b/.tests/postfix-very-slow-bf/scenario.assert
@@ -0,0 +1,63 @@
+len(results) == 1
+"198.51.100.1" in results[0].Overflow.GetSources()
+results[0].Overflow.Sources["198.51.100.1"].IP == "198.51.100.1"
+results[0].Overflow.Sources["198.51.100.1"].Range == ""
+results[0].Overflow.Sources["198.51.100.1"].GetScope() == "Ip"
+results[0].Overflow.Sources["198.51.100.1"].GetValue() == "198.51.100.1"
+basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "postfix-very-slow-bf.log"
+results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "postfix"
+results[0].Overflow.Alert.Events[0].GetMeta("log_type_enh") == "spam-attempt"
+results[0].Overflow.Alert.Events[0].GetMeta("machine") == "server"
+results[0].Overflow.Alert.Events[0].GetMeta("service") == "postfix"
+results[0].Overflow.Alert.Events[0].GetMeta("source_hostname") == "unknown"
+results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "198.51.100.1"
+results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2026-01-15T08:00:00Z"
+basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "postfix-very-slow-bf.log"
+results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "postfix"
+results[0].Overflow.Alert.Events[1].GetMeta("log_type_enh") == "spam-attempt"
+results[0].Overflow.Alert.Events[1].GetMeta("machine") == "server"
+results[0].Overflow.Alert.Events[1].GetMeta("service") == "postfix"
+results[0].Overflow.Alert.Events[1].GetMeta("source_hostname") == "unknown"
+results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "198.51.100.1"
+results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2026-01-15T08:40:00Z"
+basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "postfix-very-slow-bf.log"
+results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "postfix"
+results[0].Overflow.Alert.Events[2].GetMeta("log_type_enh") == "spam-attempt"
+results[0].Overflow.Alert.Events[2].GetMeta("machine") == "server"
+results[0].Overflow.Alert.Events[2].GetMeta("service") == "postfix"
+results[0].Overflow.Alert.Events[2].GetMeta("source_hostname") == "unknown"
+results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "198.51.100.1"
+results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2026-01-15T09:20:00Z"
+basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "postfix-very-slow-bf.log"
+results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "postfix"
+results[0].Overflow.Alert.Events[3].GetMeta("log_type_enh") == "spam-attempt"
+results[0].Overflow.Alert.Events[3].GetMeta("machine") == "server"
+results[0].Overflow.Alert.Events[3].GetMeta("service") == "postfix"
+results[0].Overflow.Alert.Events[3].GetMeta("source_hostname") == "unknown"
+results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "198.51.100.1"
+results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2026-01-15T10:00:00Z"
+basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "postfix-very-slow-bf.log"
+results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "postfix"
+results[0].Overflow.Alert.Events[4].GetMeta("log_type_enh") == "spam-attempt"
+results[0].Overflow.Alert.Events[4].GetMeta("machine") == "server"
+results[0].Overflow.Alert.Events[4].GetMeta("service") == "postfix"
+results[0].Overflow.Alert.Events[4].GetMeta("source_hostname") == "unknown"
+results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "198.51.100.1"
+results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2026-01-15T10:40:00Z"
+basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "postfix-very-slow-bf.log"
+results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "postfix"
+results[0].Overflow.Alert.Events[5].GetMeta("log_type_enh") == "spam-attempt"
+results[0].Overflow.Alert.Events[5].GetMeta("machine") == "server"
+results[0].Overflow.Alert.Events[5].GetMeta("service") == "postfix"
+results[0].Overflow.Alert.Events[5].GetMeta("source_hostname") == "unknown"
+results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "198.51.100.1"
+results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2026-01-15T11:20:00Z"
+results[0].Overflow.Alert.GetScenario() == "melite/postfix-very-slow-bf"
+results[0].Overflow.Alert.Remediation == true
+results[0].Overflow.Alert.GetEventsCount() == 6
diff --git a/parsers/s01-parse/crowdsecurity/postfix-logs.yaml b/parsers/s01-parse/crowdsecurity/postfix-logs.yaml
index 3be4bf4bbec..b7b901aec2c 100644
--- a/parsers/s01-parse/crowdsecurity/postfix-logs.yaml
+++ b/parsers/s01-parse/crowdsecurity/postfix-logs.yaml
@@ -52,6 +52,12 @@ nodes:
       statics:
         - meta: log_type_enh
           value: non-smtp-command
+  - grok:
+      apply_on: message
+      pattern: 'disconnect from %{RELAY} %{DATA}auth=0/%{INT:auth_attempts}'
+      statics:
+        - meta: log_type_enh
+          value: submission-auth-failed
   - grok:
       apply_on: message
       pattern: 'NOQUEUE: %{POSTFIX_ACTION:action}: %{DATA:command} from %{RELAY}: %{SMTP_RETURN_CODES:smtp_return_codes} %{GREEDYDATA:reason}'
@@ -78,4 +84,3 @@ statics:
       expression: "evt.Parsed.remote_host"
     - meta: log_type
       value: postfix
-
diff --git a/scenarios/melite/postfix-helo-very-slow.md b/scenarios/melite/postfix-helo-very-slow.md
new file mode 100644
index 00000000000..a997540b1c4
--- /dev/null
+++ b/scenarios/melite/postfix-helo-very-slow.md
@@ -0,0 +1,30 @@
+## Description
+
+Detects evasive spammers sending invalid HELO/EHLO commands at a rate of less than 1 attempt per hour. The standard `crowdsecurity/postfix-helo-rejected` scenario has only a ~10-minute detection window, allowing patient spammers to fly under the radar.
+
+Uses a leaky bucket with a 4-hour leak rate and capacity of 5, creating a 24-hour detection window. Triggers after 6 HELO rejections from the same IP.
+
+**Note**: Unlike brute-force scenarios, `reprocess` is set to `false` since HELO rejections are a spam indicator, not credential attacks.
+
+**Detection window**: 24 hours (leakspeed 4h × 6 events)
+
+## Remediation
+
+Ban the attacking IP.
+
+## Example
+
+A spammer sends invalid HELO commands ~70 minutes apart to avoid detection:
+
+```
+Jan 15 08:00:00 server postfix/smtpd[1001]: NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 <invalid>: Helo command rejected: need fully-qualified hostname; from=<sender@spam.example> to=<user@example.com>
+Jan 15 09:10:00 server postfix/smtpd[1002]: NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 <invalid>: Helo command rejected: need fully-qualified hostname; from=<sender2@spam.example> to=<user2@example.com>
+Jan 15 10:20:00 server postfix/smtpd[1003]: NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 <invalid>: Helo command rejected: need fully-qualified hostname; from=<sender3@spam.example> to=<user3@example.com>
+Jan 15 11:30:00 server postfix/smtpd[1004]: NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 <invalid>: Helo command rejected: need fully-qualified hostname; from=<sender4@spam.example> to=<user4@example.com>
+Jan 15 12:40:00 server postfix/smtpd[1005]: NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 <invalid>: Helo command rejected: need fully-qualified hostname; from=<sender5@spam.example> to=<user5@example.com>
+Jan 15 13:50:00 server postfix/smtpd[1006]: NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 <invalid>: Helo command rejected: need fully-qualified hostname; from=<sender6@spam.example> to=<user6@example.com>
+```
+
+## Dependencies
+
+- Parser: `crowdsecurity/postfix-logs`
diff --git a/scenarios/melite/postfix-helo-very-slow.yaml b/scenarios/melite/postfix-helo-very-slow.yaml
new file mode 100644
index 00000000000..e901b2db61d
--- /dev/null
+++ b/scenarios/melite/postfix-helo-very-slow.yaml
@@ -0,0 +1,27 @@
+# Scenario: Very slow Postfix HELO rejected
+# Detects attackers sending invalid HELO commands at < 1 attempt per hour
+# Detection window: 4h x 6 = 24 hours (6 failures needed)
+#
+# Standard crowdsecurity/postfix-helo-rejected has only a 10-minute window.
+# Evasive spammers space invalid HELO commands ~70 minutes apart to avoid it.
+#
+# Real-world example: 31.192.235.95 targeting laportette.fr with ~70min intervals
+type: leaky
+name: melite/postfix-helo-very-slow
+description: "Detect very slow HELO rejection attacks (evasive spammers)"
+filter: "evt.Meta.log_type == 'postfix' && evt.Meta.action == 'reject' && evt.Meta.reason startsWith 'Helo command rejected'"
+leakspeed: "4h"
+capacity: 5
+groupby: evt.Meta.source_ip
+blackhole: 5m
+reprocess: false
+labels:
+  service: postfix
+  remediation: true
+  confidence: 2
+  spoofable: 0
+  classification:
+    - attack.T1595
+    - attack.T1592
+  behavior: "smtp:very-slow-helo-spam"
+  label: "Postfix Very Slow HELO Rejected"
diff --git a/scenarios/melite/postfix-slow-bf.md b/scenarios/melite/postfix-slow-bf.md
new file mode 100644
index 00000000000..6a1ab3cde1e
--- /dev/null
+++ b/scenarios/melite/postfix-slow-bf.md
@@ -0,0 +1,32 @@
+## Description
+
+Detects slow Postfix SMTP AUTH brute-force attacks where distributed botnets or patient attackers test SASL credentials with 2-5 minute intervals on port 25.
+
+Uses a leaky bucket with a 15-minute (900s) leak rate and capacity of 7, creating a 2-hour detection window. Triggers after 8 failed SASL authentication attempts from the same IP.
+
+Includes a `_user-enum` variant that triggers when the same IP tries different SASL usernames.
+
+**Detection window**: 2 hours (leakspeed 900s × 8 events)
+
+## Remediation
+
+Ban the attacking IP.
+
+## Example
+
+A distributed botnet tests SMTP credentials with 2-5 minute intervals:
+
+```
+Jan 15 10:00:00 server postfix/smtpd[1001]: warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure
+Jan 15 10:03:00 server postfix/smtpd[1002]: warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure
+Jan 15 10:06:00 server postfix/smtpd[1003]: warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure
+Jan 15 10:10:00 server postfix/smtpd[1004]: warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure
+Jan 15 10:14:00 server postfix/smtpd[1005]: warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure
+Jan 15 10:18:00 server postfix/smtpd[1006]: warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure
+Jan 15 10:22:00 server postfix/smtpd[1007]: warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure
+Jan 15 10:26:00 server postfix/smtpd[1008]: warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure
+```
+
+## Dependencies
+
+- Parser: `crowdsecurity/postfix-logs`
diff --git a/scenarios/melite/postfix-slow-bf.yaml b/scenarios/melite/postfix-slow-bf.yaml
new file mode 100644
index 00000000000..8bebba6d696
--- /dev/null
+++ b/scenarios/melite/postfix-slow-bf.yaml
@@ -0,0 +1,44 @@
+# Scenario: Slow Postfix SMTP AUTH bruteforce
+# Detects distributed or slow SASL authentication attacks on port 25
+# Detection window: 15min x 8 = 2 hours (8 failures needed)
+#
+# Real-world example: Distributed botnets testing SMTP credentials
+# with 2-5 minute intervals to avoid standard detection.
+type: leaky
+name: melite/postfix-slow-bf
+description: "Detect slow Postfix SMTP AUTH bruteforce (distributed attacks)"
+filter: "evt.Meta.log_type == 'postfix' && evt.Meta.log_type_enh == 'spam-attempt'"
+leakspeed: "900s"
+capacity: 7
+groupby: evt.Meta.source_ip
+blackhole: 5m
+reprocess: true
+labels:
+  service: postfix
+  remediation: true
+  confidence: 3
+  spoofable: 0
+  classification:
+    - attack.T1110
+  behavior: "smtp:slow-bruteforce"
+  label: "Postfix Slow Bruteforce"
+---
+# SASL username enumeration variant
+type: leaky
+name: melite/postfix-slow-bf_user-enum
+description: "Detect slow Postfix SASL user enumeration"
+filter: "evt.Meta.log_type == 'postfix' && evt.Meta.log_type_enh == 'spam-attempt'"
+groupby: evt.Meta.source_ip
+distinct: evt.Meta.sasl_username
+leakspeed: "900s"
+capacity: 7
+blackhole: 5m
+labels:
+  service: postfix
+  remediation: true
+  confidence: 3
+  spoofable: 0
+  classification:
+    - attack.T1110
+  behavior: "smtp:user-enumeration"
+  label: "Postfix Slow User Enumeration"
diff --git a/scenarios/melite/postfix-submission-very-slow-bf.md b/scenarios/melite/postfix-submission-very-slow-bf.md
new file mode 100644
index 00000000000..260869e54e9
--- /dev/null
+++ b/scenarios/melite/postfix-submission-very-slow-bf.md
@@ -0,0 +1,30 @@
+## Description
+
+Detects very slow brute-force attacks on the Postfix submission port (587). These attacks are invisible to standard Postfix scenarios because port 587 with STARTTLS does not log explicit "SASL authentication failed" messages — failures only appear as `auth=0/N` in disconnect lines.
+
+Uses a leaky bucket with a 4-hour leak rate and capacity of 5, creating a 24-hour detection window. Triggers after 6 failed submission auth attempts from the same IP.
+
+**Requires** the `crowdsecurity/postfix-logs` parser which extracts `auth=0/N` patterns from disconnect lines (added in this PR).
+
+**Detection window**: 24 hours (leakspeed 4h × 6 events)
+
+## Remediation
+
+Ban the attacking IP.
+
+## Example
+
+An attacker targets the submission port with STARTTLS, auth failures only visible in disconnect lines:
+
+```
+Jan 15 10:00:00 server postfix/submission/smtpd[1001]: disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3
+Jan 15 11:30:00 server postfix/submission/smtpd[1002]: disconnect from unknown[192.0.2.1] ehlo=1 auth=0/2 quit=1 commands=2/4
+Jan 15 13:00:00 server postfix/submission/smtpd[1003]: disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3
+Jan 15 14:30:00 server postfix/submission/smtpd[1004]: disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3
+Jan 15 16:00:00 server postfix/submission/smtpd[1005]: disconnect from unknown[192.0.2.1] ehlo=1 auth=0/3 quit=1 commands=2/5
+Jan 15 17:30:00 server postfix/submission/smtpd[1006]: disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3
+```
+
+## Dependencies
+
+- Parser: `crowdsecurity/postfix-logs` (s01-parse, extended with `submission-auth-failed` pattern)
diff --git a/scenarios/melite/postfix-submission-very-slow-bf.yaml b/scenarios/melite/postfix-submission-very-slow-bf.yaml
new file mode 100644
index 00000000000..bfee6aa83eb
--- /dev/null
+++ b/scenarios/melite/postfix-submission-very-slow-bf.yaml
@@ -0,0 +1,31 @@
+# Scenario: Very slow bruteforce on Postfix submission port (587)
+# Detects evasive attacks that space attempts to evade standard scenarios
+# Detection window: 4h x 6 = 24 hours (6 failures needed)
+#
+# Key insight: Attackers targeting port 587 (submission+STARTTLS) often
+# do 1 attempt every ~30-60 minutes to evade detection.
+# Standard postfix scenarios don't catch these because:
+# 1. They rely on explicit "SASL authentication failed" logs
+# 2. Port 587 only shows auth failures in disconnect lines (auth=0/N)
+#
+# Requires: melite/postfix-submission-auth parser (s02-enrich)
+#
+# Real-world example: 62.60.130.220 did 135 attempts over 20 hours (~1/9min average)
+type: leaky
+name: melite/postfix-submission-very-slow-bf
+description: "Detect very slow Postfix submission auth bruteforce (evasive attacks)"
+filter: "evt.Meta.log_type == 'postfix' && evt.Meta.log_type_enh == 'submission-auth-failed'"
+leakspeed: "4h"
+capacity: 5
+groupby: evt.Meta.source_ip
+blackhole: 5m
+reprocess: true
+labels:
+  service: postfix
+  remediation: true
+  confidence: 3
+  spoofable: 0
+  classification:
+    - attack.T1110
+  behavior: "smtp:evasive-bruteforce"
+  label: "Postfix Submission Very Slow Bruteforce"
diff --git a/scenarios/melite/postfix-very-slow-bf.md b/scenarios/melite/postfix-very-slow-bf.md
new file mode 100644
index 00000000000..5c8a26bd7ee
--- /dev/null
+++ b/scenarios/melite/postfix-very-slow-bf.md
@@ -0,0 +1,30 @@
+## Description
+
+Detects very slow Postfix SMTP AUTH brute-force attacks where attackers space SASL authentication attempts ~30+ minutes apart to evade the standard `melite/postfix-slow-bf` scenario (15-minute leak rate).
+
+Uses a leaky bucket with a 4-hour leak rate and capacity of 5, creating a 24-hour detection window. Triggers after 6 failed SASL authentication attempts from the same IP.
+
+Includes a `_user-enum` variant for slow SASL username enumeration.
+
+**Detection window**: 24 hours (leakspeed 4h × 6 events)
+
+## Remediation
+
+Ban the attacking IP.
+
+## Example
+
+An attacker spaces SMTP auth attempts ~45 minutes apart:
+
+```
+Jan 15 08:00:00 server postfix/smtpd[1001]: warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure
+Jan 15 08:45:00 server postfix/smtpd[1002]: warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure
+Jan 15 09:30:00 server postfix/smtpd[1003]: warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure
+Jan 15 10:15:00 server postfix/smtpd[1004]: warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure
+Jan 15 11:00:00 server postfix/smtpd[1005]: warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure
+Jan 15 11:45:00 server postfix/smtpd[1006]: warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure
+```
+
+## Dependencies
+
+- Parser: `crowdsecurity/postfix-logs`
diff --git a/scenarios/melite/postfix-very-slow-bf.yaml b/scenarios/melite/postfix-very-slow-bf.yaml
new file mode 100644
index 00000000000..7768ccb20bb
--- /dev/null
+++ b/scenarios/melite/postfix-very-slow-bf.yaml
@@ -0,0 +1,44 @@
+# Scenario: Very slow Postfix SMTP AUTH bruteforce
+# Detects attackers doing < 1 attempt per 30 minutes to evade standard detection
+# Detection window: 4h x 6 = 24 hours (6 failures needed)
+#
+# Catches attackers spacing SASL auth attempts ~30min apart to evade
+# the standard postfix-slow-bf which has a 15min leakspeed.
+type: leaky
+name: melite/postfix-very-slow-bf
+description: "Detect very slow Postfix SMTP AUTH bruteforce (evasive attacks)"
+filter: "evt.Meta.log_type == 'postfix' && evt.Meta.log_type_enh == 'spam-attempt'"
+leakspeed: "4h"
+capacity: 5
+groupby: evt.Meta.source_ip
+blackhole: 5m
+reprocess: true
+labels:
+  service: postfix
+  remediation: true
+  confidence: 2
+  spoofable: 0
+  classification:
+    - attack.T1110
+  behavior: "smtp:very-slow-bruteforce"
+  label: "Postfix Very Slow Bruteforce"
+---
+# SASL username enumeration variant
+type: leaky
+name: melite/postfix-very-slow-bf_user-enum
+description: "Detect very slow Postfix SASL user enumeration"
+filter: "evt.Meta.log_type == 'postfix' && evt.Meta.log_type_enh == 'spam-attempt'"
+groupby: evt.Meta.source_ip
+distinct: evt.Meta.sasl_username
+leakspeed: "4h"
+capacity: 5
+blackhole: 5m
+labels:
+  service: postfix
+  remediation: true
+  confidence: 2
+  spoofable: 0
+  classification:
+    - attack.T1110
+  behavior: "smtp:user-enumeration"
+  label: "Postfix Very Slow User Enumeration"