I've been having problems where someone is targeting key user accounts including my own. I've been trying to track down the offending IP's using audit.log and zmauditswatchctl but I'm not having any luck. What I keep getting are reports that my own server is trying to hack my account. (account/domain/ip changed for this posting):
2013-04-30 00:20:58,167 WARN [btpool0-2199://mydomain.com:7071/service/admin/soap/] [firstname.lastname@example.org;ip=192.168.20.9;] security - cmd=Auth; email@example.com; protocol=soap; error=authentication failed for [firstname.lastname@example.org], invalid password;
I have to assume this means that the attacker is using the web interface to try and log into the account. Zimbra's account lockout function seems to be working fine but unfortunately when an account is locked out that means my phone, my tablet, my laptop and my PC also cannot access my mail until the lockout has ended.
How can we get the actual IP of the attacker to be reported instead of the server's own IP?