There are multiple ways to defeat most captcha systems, and they offer a different type of protection to the auto password lock system.
If someone is tryingto brute force one of your accounts, then having it lock out lets you know that something is amiss, the main admin shouldnt just go to the admin console and unlock the account, they should work out WHY the account was locked. Was it the user themselves keying in the password wrong, or was it a hacking attempt. The information gathered from that check is powerful.
If someone is trying to brute force an account, and in addition to the username and password they need a captcha, then it's not likely to stop them, they could brute force the captcha or send it's details out to services that deal with them.
If you do go ahead and impliment such a system, you'd need to be pretty secure in two things;
1, that your code is good enough to always work, every time, no exceptions. You dont want a user to be keying everything in correcty and still be unable to connect,
2, that the captcha system you use is unbreakable, you dont want to go to all this effort for a system thats trivial to defeat.
I cant offer any help with the actual coding, but I'd imagine you could simply hijack the login process to show your own login system which would, once authenticate, call Zimbra's pre-authentication mechanisms to then automatically log the user in, there's lots of detail on this in the wiki's.  | 
Bugzilla
Wiki
Source
Linear Mode
