====== Zimbra Password Policy ======
FIXME Incomplete and unested.
===== Last Change Dates =====
Determine the last time users changed their passwords:
su - zimbra
zmprov sa -v "mail=*@example.tld" | egrep '^mail:|zimbraPasswordModifiedTime:|^$' | grep -v '^$\|^\s*\#'
===== Zimbra Admin Console =====
**Configure -> Class of Service -> -> Advanced -> Password**
===== CLI =====
:!: This will even work to set the same password, or override a policy limitation.
List all administrators:
su - zimbra
zmprov gaaa
Set a password:
su - zimbra
zmprov sp
:!: It may also work to just use ''admin'' instead of an e-mail address.
===== Zmauditswatch =====
https://wiki.zimbra.com/wiki/Zmauditswatch
zmlocalconfig | grep swatch
zmlocalconfig -e zimbra_swatch_notice_user=admin@domain.com
zmlocalconfig -e zimbra_swatch_ipacct_threshold=10
zmlocalconfig -e zimbra_swatch_acct_threshold=15
zmlocalconfig -e zimbra_swatch_ip_threshold=20
zmlocalconfig -e zimbra_swatch_total_threshold=60
zmlocalconfig -e zimbra_swatch_threshold_seconds=3600
zmauditswatchctl start | stop | status
:!: For service **auto-start**, follow the wiki link above. I had to use the old style ''initd'' method.
chkconfig --add zmauditswatch
chkconfig --list
service zmauditswatch start | stop | status
===== Expiring Passwords Notification =====
**Original**: https://github.com/wuxmedia/Zimbra_passpoll
cd /opt/zimbra
wget https://raw.githubusercontent.com/wuxmedia/Zimbra_passpoll/master/passpoll.sh
chown zimbra.zimbra passpoll.sh
chmod +x passpoll.sh
su - zimbra
vi passpoll.sh
Modify **at least**:
FROM="admin@yourdomain.tld"
ADMIN_RECIPIENT="admin@yourdomain.tld"
SENDMAIL=$(ionice -c3 find /opt/zimbra/common/sbin -type f -iname sendmail)
Modify the ''zimbra'' user crontab to run the script daily:
crontab -e
Append at the bottom:
# Password Expiration Notifications
0 8 * * * /opt/zimbra/passpoll.sh > /tmp/passpoll.log
==== Modified passpoll.sh ====
This script has been **modified from the original** in several ways, including:
* **Number of user notifications**
* Four including final on last day
* **Content of user notifications**
* Instructions to change password
* Zimbra URL
* **Content of admin notifications**
* Include log
* **Daily expired password notifications**
#!/bin/bash
# TDH 2015-04-27
# Messy script for zimbra password expiry email notification.
# Meant to be performed as daily cronjob run as zimbra user.
# redirect output to a file to get a 'log file' of sorts.
# Start in tmp folder to eliminate permissions warnings
cd /tmp
# Time taken of script;
echo "Started on: $(date)"
# Set some vars:
# Notifications in days, then last warning. Don't use 1 as it's assumed.
FIRST="10"
SECOND="5"
LAST="3"
# Sent from:
FROM="admin@yourdomain.tld"
# Domain to check, e.g. 'example.com'; leave blank for all
DOMAIN=""
# Recipient who should receive an email with all expired accounts
ADMIN_RECIPIENT="admin@yourdomain.tld"
# URL for your Zimbra in message body
URL="https://zimbra.yourdomain.tld"
# Sendmail executable
SENDMAIL=$(ionice -c3 find /opt/zimbra/common/sbin -type f -iname sendmail)
# Get all users - it should run once only.
USERS=$(ionice -c3 /opt/zimbra/bin/zmprov -l gaa $DOMAIN | egrep -v "spam\.|ham\.|galsync\.|galsync\@|virus-quarantine")
#Todays date, in seconds:
DATE=$(date +%s)
# Iterate through them in for loop:
for USER in $USERS
do
# When was the password set?
USERINFO=$(ionice -c3 /opt/zimbra/bin/zmprov ga "$USER")
PASS_SET_DATE=$(echo "$USERINFO" | grep zimbraPasswordModifiedTime: | cut -d " " -f 2 | cut -c 1-8)
PASS_MAX_AGE=$(echo "$USERINFO" | grep "zimbraPasswordMaxAge:" | cut -d " " -f 2)
NAME=$(echo "$USERINFO" | grep givenName | cut -d " " -f 2)
# Check if we have set the account to no-expire
if [[ "$PASS_MAX_AGE" -eq "0" ]]
then
continue
fi
# Make the date for expiry from now.
EXPIRES=$(date -d "$PASS_SET_DATE $PASS_MAX_AGE days" +%s)
# Now, how many days until that?
DEADLINE=$(( (($DATE - $EXPIRES)) / -86400 ))
# Email to send to victims, ahem - users...
SUBJECT="$NAME - Your Password will expire in $DEADLINE days"
BODY="
Hi $NAME,
Your Zimbra e-mail account password will expire in $DEADLINE days, Please reset your password soon.
You can change your password in the Zimbra Web Client by clicking Preferences -> Change Password.
If you are seeing this message in any other mail client, click here to open the ZWC:
$URL
Thanks,
Your Zimbra Admin Team
"
# Send it off depending on days, adding verbose statements for the 'log'
# First warning
if [[ "$DEADLINE" -eq "$FIRST" ]]
then
echo "Subject: $SUBJECT" "$BODY" | $SENDMAIL -f "$FROM" "$USER"
echo "Reminder email sent to: $USER - $DEADLINE days left"
# Second
elif [[ "$DEADLINE" -eq "$SECOND" ]]
then
echo "Subject: $SUBJECT" "$BODY" | $SENDMAIL -f "$FROM" "$USER"
echo "Reminder email sent to: $USER - $DEADLINE days left"
# Third
elif [[ "$DEADLINE" -eq "$LAST" ]]
then
echo "Subject: $SUBJECT" "$BODY" | $SENDMAIL -f "$FROM" "$USER"
echo "Reminder email sent to: $USER - $DEADLINE days left"
# Final
elif [[ "$DEADLINE" -eq "1" ]]
then
echo "Subject: $SUBJECT" "$BODY" | $SENDMAIL -f "$FROM" "$USER"
echo "Last chance for: $USER - $DEADLINE days left"
# Check for Expired accounts, get last logon date add them to EXP_LIST2
#elif [[ "$DEADLINE" -lt "0" ]] && [ "$(date +%a)" = "Mon" ]
elif [[ "$DEADLINE" -lt "0" ]]
then
LASTDATE=$(echo "$USERINFO" | grep zimbraLastLogonTimestamp | cut -d " " -f 2 | cut -c 1-8)
LOGON=$(date -d "$LASTDATE")
EXP_LIST=$(echo "$USER's password has been expired for ${DEADLINE#-} day(s) now, last logon was $LOGON.")
EXP_LIST2="$EXP_LIST2 \n $EXP_LIST"
else
# > /dev/null for less verbose logs and a list of users.
echo "Account: $USER reports; $DEADLINE days on Password policy"
fi
# Finish for loop
done
echo ""
echo "-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-"
# Send off list using hardcoded email addresses.
EXP_BODY="
Hello Admin team,
List of expired passwords and their last recorded login date:
$(echo -e "$EXP_LIST2")
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Log file:
$(cat /tmp/passpoll.log)
"
echo "Subject: List of accounts with expired passwords" "$EXP_BODY" | $SENDMAIL -f "$FROM" "$ADMIN_RECIPIENT"
# Expired accts, for the log:
echo -e "$EXP_LIST2"
echo "finished in $SECONDS seconds"
echo "-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-"