Thanks, updated my post. As for logging admin login attempts, I can only guess that those IP addresses have not been banned yet. With my config, they have 5 tries before being banned, and those 5 tries will get logged. Are there more than 5 log entries from an IP address? It's also likely that attacking the admin page is more common than regular webmail. If Zimbra allowed changing the admin port to something other than 7071 it would virtually eliminate admin attacks, but it's a 6 year old feature request.