====== Zimbra Password Policy ======

FIXME Incomplete and unested.

===== Last Change Dates =====

Determine the last time users changed their passwords:

<file>
su - zimbra
zmprov sa -v "mail=*@example.tld" | egrep '^mail:|zimbraPasswordModifiedTime:|^$' | grep -v '^$\|^\s*\#'
</file>

===== Zimbra Admin Console =====

**Configure -> Class of Service -> <CoS> -> Advanced -> Password**

===== CLI =====

:!: This will even work to set the same password, or override a policy limitation.

List all administrators:

<file>
su - zimbra  
zmprov gaaa
</file>

Set a password:

<file>
su - zimbra
zmprov sp <user or admin email address> <new password>
</file>

:!: It may also work to just use ''admin'' instead of an e-mail address.

===== Zmauditswatch =====

https://wiki.zimbra.com/wiki/Zmauditswatch

<file>
zmlocalconfig | grep swatch
</file>

<file>
zmlocalconfig -e zimbra_swatch_notice_user=admin@domain.com
zmlocalconfig -e zimbra_swatch_ipacct_threshold=10
zmlocalconfig -e zimbra_swatch_acct_threshold=15
zmlocalconfig -e zimbra_swatch_ip_threshold=20
zmlocalconfig -e zimbra_swatch_total_threshold=60
zmlocalconfig -e zimbra_swatch_threshold_seconds=3600
</file>

<file>
zmauditswatchctl start | stop | status
</file>

:!: For service **auto-start**, follow the wiki link above.  I had to use the old style ''initd'' method.

<file>
chkconfig --add zmauditswatch
chkconfig --list
</file>

<file>
service zmauditswatch start | stop | status
</file>

===== Expiring Passwords Notification =====

**Original**: https://github.com/wuxmedia/Zimbra_passpoll

<file>
cd /opt/zimbra
wget https://raw.githubusercontent.com/wuxmedia/Zimbra_passpoll/master/passpoll.sh
chown zimbra.zimbra passpoll.sh
chmod +x passpoll.sh
su - zimbra
vi passpoll.sh
</file>

Modify **at least**:

<file>
FROM="admin@yourdomain.tld"
ADMIN_RECIPIENT="admin@yourdomain.tld"
SENDMAIL=$(ionice -c3 find /opt/zimbra/common/sbin -type f -iname sendmail)
</file>

Modify the ''zimbra'' user crontab to run the script daily:

<file>
crontab -e
</file>

Append at the bottom:

<file>
# Password Expiration Notifications
0 8 * * * /opt/zimbra/passpoll.sh > /tmp/passpoll.log
</file>

==== Modified passpoll.sh ====

This script has been **modified from the original** in several ways, including:

  * **Number of user notifications**
    * Four including final on last day
  * **Content of user notifications**
    * Instructions to change password
    * Zimbra URL
  * **Content of admin notifications**
    * Include log
  * **Daily expired password notifications**

<file>
#!/bin/bash
# TDH 2015-04-27
# Messy script for zimbra password expiry email notification.
# Meant to be performed as daily cronjob run as zimbra user.
# redirect output to a file to get a 'log file' of sorts.

# Start in tmp folder to eliminate permissions warnings
cd /tmp

# Time taken of script;
echo "Started on: $(date)"

# Set some vars:
# Notifications in days, then last warning. Don't use 1 as it's assumed.
FIRST="10"
SECOND="5"
LAST="3"
# Sent from:
FROM="admin@yourdomain.tld"
# Domain to check, e.g. 'example.com'; leave blank for all
DOMAIN=""
# Recipient who should receive an email with all expired accounts
ADMIN_RECIPIENT="admin@yourdomain.tld"
# URL for your Zimbra in message body
URL="https://zimbra.yourdomain.tld"

# Sendmail executable
SENDMAIL=$(ionice -c3 find /opt/zimbra/common/sbin -type f -iname sendmail)

# Get all users - it should run once only.
USERS=$(ionice -c3 /opt/zimbra/bin/zmprov -l gaa $DOMAIN | egrep -v "spam\.|ham\.|galsync\.|galsync\@|virus-quarantine")

#Todays date, in seconds:
DATE=$(date +%s)

# Iterate through them in for loop:
for USER in $USERS
 do
# When was the password set?
USERINFO=$(ionice -c3 /opt/zimbra/bin/zmprov ga "$USER")
PASS_SET_DATE=$(echo "$USERINFO" | grep zimbraPasswordModifiedTime: | cut -d " " -f 2 | cut -c 1-8)
PASS_MAX_AGE=$(echo "$USERINFO" | grep "zimbraPasswordMaxAge:" | cut -d " " -f 2)
NAME=$(echo "$USERINFO" | grep givenName | cut -d " " -f 2)

# Check if we have set the account to no-expire
if [[ "$PASS_MAX_AGE" -eq "0" ]]
then
  continue
fi

# Make the date for expiry from now.
EXPIRES=$(date -d  "$PASS_SET_DATE $PASS_MAX_AGE days" +%s)

# Now, how many days until that?
DEADLINE=$(( (($DATE - $EXPIRES)) / -86400 ))

# Email to send to victims, ahem - users...
SUBJECT="$NAME - Your Password will expire in $DEADLINE days"
BODY="
Hi $NAME,

Your Zimbra e-mail account password will expire in $DEADLINE days, Please reset your password soon.

You can change your password in the Zimbra Web Client by clicking Preferences -> Change Password.

If you are seeing this message in any other mail client, click here to open the ZWC:

$URL

Thanks,
Your Zimbra Admin Team

"
# Send it off depending on days, adding verbose statements for the 'log'
# First warning
if [[ "$DEADLINE" -eq "$FIRST" ]]
then
        echo "Subject: $SUBJECT" "$BODY" | $SENDMAIL -f "$FROM" "$USER"
        echo "Reminder email sent to: $USER - $DEADLINE days left"
# Second
elif [[ "$DEADLINE" -eq "$SECOND" ]]
then
        echo "Subject: $SUBJECT" "$BODY" | $SENDMAIL -f "$FROM" "$USER"
        echo "Reminder email sent to: $USER - $DEADLINE days left"
# Third
elif [[ "$DEADLINE" -eq "$LAST" ]]
then
        echo "Subject: $SUBJECT" "$BODY" | $SENDMAIL -f "$FROM" "$USER"
        echo "Reminder email sent to: $USER - $DEADLINE days left"
# Final
elif [[ "$DEADLINE" -eq "1" ]]
then
    echo "Subject: $SUBJECT" "$BODY" | $SENDMAIL -f "$FROM" "$USER"
        echo "Last chance for: $USER - $DEADLINE days left"

# Check for Expired accounts, get last logon date add them to EXP_LIST2
#elif [[ "$DEADLINE" -lt "0" ]] && [ "$(date +%a)" = "Mon" ]
elif [[ "$DEADLINE" -lt "0" ]]
 then
    LASTDATE=$(echo "$USERINFO" | grep zimbraLastLogonTimestamp | cut -d " " -f 2 | cut -c 1-8)
    LOGON=$(date -d "$LASTDATE")
        EXP_LIST=$(echo "$USER's password has been expired for ${DEADLINE#-} day(s) now, last logon was $LOGON.")
        EXP_LIST2="$EXP_LIST2 \n $EXP_LIST"

else
# > /dev/null for less verbose logs and a list of users.
    echo "Account: $USER reports; $DEADLINE days on Password policy"
fi

# Finish for loop
done

echo ""
echo "-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-"

# Send off list using hardcoded email addresses.

EXP_BODY="
Hello Admin team,

List of expired passwords and their last recorded login date:

$(echo -e "$EXP_LIST2")

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Log file:

$(cat /tmp/passpoll.log)

"
echo "Subject: List of accounts with expired passwords" "$EXP_BODY" | $SENDMAIL -f "$FROM" "$ADMIN_RECIPIENT"
# Expired accts, for the log:
echo -e "$EXP_LIST2"

echo "finished in $SECONDS seconds"
echo "-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-"
</file>