I use zimbra 7.2.0_GA_2669 on RHEL5_64.
I have a mailbox that keeps getting locked due to repeated (WEB?) invalid password attempts...
When we use imap, everything is fine (until the account gets locked).
So I suspect some bad guy trying to brute force the passord on the web interface, or a zimbra service using an old password?)...
The problem is that I am unable to find his IP in the logs.
Here's an example (220.127.116.11 is my zimbra server IP, and a.b.com its fqdn):
So, I get successful IMAP connections mixed with failed "SOAP" connections... until the account get locked.
2013-01-10 13:18:15,256 WARN [btpool0-151://a.b.com:7071/service/admin/soap/] [email@example.com;ip=18.104.22.168;] security - cmd=Auth; firstname.lastname@example.org; protocol=soap; error=authentication failed for [email@example.com], invalid password;
2013-01-10 13:18:15,210 INFO [btpool0-151://a.b.com:7071/service/admin/soap/] [ip=22.214.171.124;] soap - AuthRequest
2013-01-10 13:18:15,256 INFO [btpool0-151://a.b.com:7071/service/admin/soap/] [firstname.lastname@example.org;ip=126.96.36.199;] SoapEngine - handler exception: authentication failed for [email@example.com], invalid password
nothing at or close to the given time.
And I can only find my IPs/fqdn in the logs...
Any idea where I can find the real IP behind the "SOAP" connection attempts?