auth required /lib/security/$ISA/pam_tally2.so deny=5 unlock_time=900However, I later found that if you're running dovecot (version 0.99.11-9 -- maybe it's been fixed since then), it doesn't reset the tally on a successful login; i.e. it does not call pam_setcred. So, if the user is only logging in via dovecot, and they are checking mail at an interval less than your reset time, eventually the account will get locked out!
To fix this, you have to call pam_tally2 in the "account" section to reset the tally. You can do this in either the "system-auth" file, or in the "dovecot" file:
account required /lib/security/$ISA/pam_tally2.so