Lou Duchez wrote:
This arrangement is designed to trap POP3 and IMAP separately, and also to allow a high number of errors before temporarily "jailing" a user. This is to decrease the likelihood that a single user from a single IP will get all his coworkers (temporarily) banned over an honest mistake in configuration.
I have noticed recent breaking attempts which appear to be a slow coordinated botnet using multiple IPs and trying a combination of SMTP + POP + IMAP (can't remember if it did both of the later or just POP?).
As a result I tried to combine all three into a single test. Actually I did the wrong thing, but if you look through my previous posts you can see someone (Bill?) correct me and post the correct config for this
I would recommend you be aware of this - in my case I was seeing less than a few attempts from a given IP in a 10 min period, but lots of what appeared to be coordinated attempts at the server level. (eg some servers were only trying a few logins per day, but across enough IP addresses this was a fairly rapidly filling the logs)
Good luck
Ed W