In audit.log I see entries like :
security - cmd=Auth; account=<email@example.com>; protocol=soap; error=authentication failed for <firstname.lastname@example.org>, invalid password;
These "invalid pass" tries make the account locked after 10 attemps. But these tries does not originate from the real user.
When I examine audit.log for originating ip address, I see that the protocal is soap and the ip address is the mail server address itself. This is always the case in soap communication.
So, if I cannot find the originating address for soap communcations, this is a true securtiy flaw in design IMHO.
Is there a way to determine the originating address in soap communication ?