Hi,

I use zimbra 7.2.0_GA_2669 on RHEL5_64.
I have a mailbox that keeps getting locked due to repeated (WEB?) invalid password attempts...
When we use imap, everything is fine (until the account gets locked).
So I suspect some bad guy trying to brute force the passord on the web interface, or a zimbra service using an old password?)...
The problem is that I am unable to find his IP in the logs.

Here's an example (1.2.3.4 is my zimbra server IP, and a.b.com its fqdn):

Code:
  audit.log:
  2013-01-10 13:18:15,256 WARN  [btpool0-151://a.b.com:7071/service/admin/soap/] [name=me@example.com;ip=1.2.3.4;] security - cmd=Auth; account=me@example.com; protocol=soap; error=authentication failed for [me@example.com], invalid password;
  
  mailbox.log:
  2013-01-10 13:18:15,210 INFO  [btpool0-151://a.b.com:7071/service/admin/soap/] [ip=1.2.3.4;] soap - AuthRequest
  2013-01-10 13:18:15,256 INFO  [btpool0-151://a.b.com:7071/service/admin/soap/] [name=me@example.com;ip=1.2.3.4;] SoapEngine - handler exception: authentication failed for [me@example.com], invalid password

  access_log.2013-01-10:
  nothing at or close to the given time.
So, I get successful IMAP connections mixed with failed "SOAP" connections... until the account get locked.
And I can only find my IPs/fqdn in the logs...
Any idea where I can find the real IP behind the "SOAP" connection attempts?
Thx.

Regards,
JD