Yeah... I'm also trying to put grommunio server(s) "behind stuff" with various degrees of "success"... but this login/lockout part is kinda "relevant" to Grommunio as forcing some "unrelated/standalone" authentication "in front" is rather problematic (other than relying on 40x/5xx HTTP(s) responses only, especially for non http protocols)
Yeah... source-digging is something for (nonexistent) spare time... so always resorting to "temporary" quick fixes 😉
fail2ban is "nice" on the network level... and the ip can be (easily) unbanned but on Grommunio side... I see no flags/alerts/checkboxes which could be checked or cleared...
And the problems arise when the user at the end starts complaining about "mail not working again"... with no easy way to "solve the issue"...