Incomplete and unested.

Determine the last time users changed their passwords:

su - zimbra
zmprov sa -v "mail=*@example.tld" | egrep '^mail:|zimbraPasswordModifiedTime:|^$' | grep -v '^$\|^\s*\#'

Configure → Class of Service → <CoS> → Advanced → Password

This will even work to set the same password, or override a policy limitation.

List all administrators:

su - zimbra  
zmprov gaaa

Set a password:

su - zimbra
zmprov sp <user or admin email address> <new password>

It may also work to just use admin instead of an e-mail address.

https://wiki.zimbra.com/wiki/Zmauditswatch

zmlocalconfig | grep swatch

zmlocalconfig -e zimbra_swatch_notice_user=admin@domain.com
zmlocalconfig -e zimbra_swatch_ipacct_threshold=10
zmlocalconfig -e zimbra_swatch_acct_threshold=15
zmlocalconfig -e zimbra_swatch_ip_threshold=20
zmlocalconfig -e zimbra_swatch_total_threshold=60
zmlocalconfig -e zimbra_swatch_threshold_seconds=3600

zmauditswatchctl start | stop | status

For service auto-start, follow the wiki link above. I had to use the old style initd method.

chkconfig --add zmauditswatch
chkconfig --list

service zmauditswatch start | stop | status

Original: https://github.com/wuxmedia/Zimbra_passpoll

cd /opt/zimbra
wget https://raw.githubusercontent.com/wuxmedia/Zimbra_passpoll/master/passpoll.sh
chown zimbra.zimbra passpoll.sh
chmod +x passpoll.sh
su - zimbra
vi passpoll.sh

Modify at least:

FROM="admin@yourdomain.tld"
ADMIN_RECIPIENT="admin@yourdomain.tld"
SENDMAIL=$(ionice -c3 find /opt/zimbra/common/sbin -type f -iname sendmail)

Modify the zimbra user crontab to run the script daily:

crontab -e

Append at the bottom:

# Password Expiration Notifications
0 8 * * * /opt/zimbra/passpoll.sh > /tmp/passpoll.log

This script has been modified from the original in several ways, including:

• Number of user notifications
  • Four including final on last day
• Content of user notifications
  • Instructions to change password
  • Zimbra URL
• Content of admin notifications
  • Include log
• Daily expired password notifications

#!/bin/bash
# TDH 2015-04-27
# Messy script for zimbra password expiry email notification.
# Meant to be performed as daily cronjob run as zimbra user.
# redirect output to a file to get a 'log file' of sorts.

# Start in tmp folder to eliminate permissions warnings
cd /tmp

# Time taken of script;
echo "Started on: $(date)"

# Set some vars:
# Notifications in days, then last warning. Don't use 1 as it's assumed.
FIRST="10"
SECOND="5"
LAST="3"
# Sent from:
FROM="admin@yourdomain.tld"
# Domain to check, e.g. 'example.com'; leave blank for all
DOMAIN=""
# Recipient who should receive an email with all expired accounts
ADMIN_RECIPIENT="admin@yourdomain.tld"
# URL for your Zimbra in message body
URL="https://zimbra.yourdomain.tld"

# Sendmail executable
SENDMAIL=$(ionice -c3 find /opt/zimbra/common/sbin -type f -iname sendmail)

# Get all users - it should run once only.
USERS=$(ionice -c3 /opt/zimbra/bin/zmprov -l gaa $DOMAIN | egrep -v "spam\.|ham\.|galsync\.|galsync\@|virus-quarantine")

#Todays date, in seconds:
DATE=$(date +%s)

# Iterate through them in for loop:
for USER in $USERS
 do
# When was the password set?
USERINFO=$(ionice -c3 /opt/zimbra/bin/zmprov ga "$USER")
PASS_SET_DATE=$(echo "$USERINFO" | grep zimbraPasswordModifiedTime: | cut -d " " -f 2 | cut -c 1-8)
PASS_MAX_AGE=$(echo "$USERINFO" | grep "zimbraPasswordMaxAge:" | cut -d " " -f 2)
NAME=$(echo "$USERINFO" | grep givenName | cut -d " " -f 2)

# Check if we have set the account to no-expire
if [[ "$PASS_MAX_AGE" -eq "0" ]]
then
  continue
fi

# Make the date for expiry from now.
EXPIRES=$(date -d  "$PASS_SET_DATE $PASS_MAX_AGE days" +%s)

# Now, how many days until that?
DEADLINE=$(( (($DATE - $EXPIRES)) / -86400 ))

# Email to send to victims, ahem - users...
SUBJECT="$NAME - Your Password will expire in $DEADLINE days"
BODY="
Hi $NAME,

Your Zimbra e-mail account password will expire in $DEADLINE days, Please reset your password soon.

You can change your password in the Zimbra Web Client by clicking Preferences -> Change Password.

If you are seeing this message in any other mail client, click here to open the ZWC:

$URL

Thanks,
Your Zimbra Admin Team

"
# Send it off depending on days, adding verbose statements for the 'log'
# First warning
if [[ "$DEADLINE" -eq "$FIRST" ]]
then
        echo "Subject: $SUBJECT" "$BODY" | $SENDMAIL -f "$FROM" "$USER"
        echo "Reminder email sent to: $USER - $DEADLINE days left"
# Second
elif [[ "$DEADLINE" -eq "$SECOND" ]]
then
        echo "Subject: $SUBJECT" "$BODY" | $SENDMAIL -f "$FROM" "$USER"
        echo "Reminder email sent to: $USER - $DEADLINE days left"
# Third
elif [[ "$DEADLINE" -eq "$LAST" ]]
then
        echo "Subject: $SUBJECT" "$BODY" | $SENDMAIL -f "$FROM" "$USER"
        echo "Reminder email sent to: $USER - $DEADLINE days left"
# Final
elif [[ "$DEADLINE" -eq "1" ]]
then
    echo "Subject: $SUBJECT" "$BODY" | $SENDMAIL -f "$FROM" "$USER"
        echo "Last chance for: $USER - $DEADLINE days left"

# Check for Expired accounts, get last logon date add them to EXP_LIST2
#elif [[ "$DEADLINE" -lt "0" ]] && [ "$(date +%a)" = "Mon" ]
elif [[ "$DEADLINE" -lt "0" ]]
 then
    LASTDATE=$(echo "$USERINFO" | grep zimbraLastLogonTimestamp | cut -d " " -f 2 | cut -c 1-8)
    LOGON=$(date -d "$LASTDATE")
        EXP_LIST=$(echo "$USER's password has been expired for ${DEADLINE#-} day(s) now, last logon was $LOGON.")
        EXP_LIST2="$EXP_LIST2 \n $EXP_LIST"

else
# > /dev/null for less verbose logs and a list of users.
    echo "Account: $USER reports; $DEADLINE days on Password policy"
fi

# Finish for loop
done

echo ""
echo "-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-"

# Send off list using hardcoded email addresses.

EXP_BODY="
Hello Admin team,

List of expired passwords and their last recorded login date:

$(echo -e "$EXP_LIST2")

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Log file:

$(cat /tmp/passpoll.log)

"
echo "Subject: List of accounts with expired passwords" "$EXP_BODY" | $SENDMAIL -f "$FROM" "$ADMIN_RECIPIENT"
# Expired accts, for the log:
echo -e "$EXP_LIST2"

echo "finished in $SECONDS seconds"
echo "-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-"