I have one account that keeps getting locked out. Looking at the audit.log file I find a very curious entry
2012-11-25 00:22:31,794 WARN [btpool0-15://zimbra1.mydomain.net:7071/service/admin/soap/] [firstname.lastname@example.org;ip=22.214.171.124;] security - cmd=Auth; email@example.com; protocol=soap; error=authentication failed for [firstname.lastname@example.org], account lockout;
where 126.96.36.199 is the ip address of the zimbra server. There are several other simular errors, but all of them have "//zimbra1.mydomain.net:7071" in them.
I see many (what I beleive is ) legitimate entries from this user such as:
2012-11-25 01:16:04,485 INFO [btpool0-14://zimbra1.mydomain.net/service/soap/AuthRequest] [email@example.com;ip=188.8.131.52;ua=ZimbraConnector ForOutlook/184.108.40.2067;] security - cmd=Auth; firstname.lastname@example.org; protocol=soap;
where 220.127.116.11 is the ip address of the user
The lockout is only occuring on the one account.
Zimbra version zcs-NETWORK-7.1.2_GA_3268.RHEL5_64.20110804120428