In audit.log I see entries like :

security - cmd=Auth; account=<somebody@somewhere.com>; protocol=soap; error=authentication failed for <somebody@somewhere.com>, invalid password;

These "invalid pass" tries make the account locked after 10 attemps. But these tries does not originate from the real user.

When I examine audit.log for originating ip address, I see that the protocal is soap and the ip address is the mail server address itself. This is always the case in soap communication.

So, if I cannot find the originating address for soap communcations, this is a true securtiy flaw in design IMHO.

Is there a way to determine the originating address in soap communication ?

Best Regards,