Hi.
You may want to run the following steps to isolate the issue whether it is FE-facing, FE-BE or is it BE-AD interactions?
Assuming involving POP3 and not POP3s (if with POP3s, test accordingly using something like
openssl s_client -connect server:port)
1. Do a POP3 connection to the FE server using telnet (using valid username/password) and verify that the POP3 session is in order. Do this test from the FE's LAN network as well as from the Internet (just in case there's some sort of POP3 Proxy mid-way)
and compare the Banner/Return values displayed.
- If possible, test using the account that was commonly locked out.
######## !!! PRIVACY ALERT !!!! ########
2. Run (for a while) a packet sniffer (using tcpdump , wireshark etc) on the FE and verify if the client's sent username/password is in fact correct. (if using POP3s you will need the FE's certificate Private Key to decrypt the SSL session) - this is only
relevant if you're using Basic authentication of course. You will probably have to wait accrding to the clien't POP3 sync schedule :)
- You would probably want to exclude and filter-out all other non-POP traffic from the sniff.
################################
3. While sniffing you may want to confirm the source IP addresses of POP3 connections are actually coming from your clients and not from unknown sources. Based on your previous logs, you may want to set up the sniffing at the most often time the issue happened.