Setting a password security policy in Zimbra

Along with encrypting letters and using digital signatures, one of the most effective and low-cost ways to protect email from hacking is a competent password security policy. Recorded on pieces of paper stored in publicly accessible files or simply insufficiently complicated passwords are always a big gap in the information security of an enterprise and can lead to serious incidents with tangible consequences for a business. That is why every enterprise should have a strict password security policy.



However, any security person knows that the password policy will bring results only when it does not just exist, but is strictly followed by everyone, or at least the key employees of the organization. To achieve this is more difficult than it seems. Employees who are already very busy with work constantly forget about the need to change the password, or go along the path of least resistance, each time making the password simpler and simpler, thus nullifying the whole effect. That is why the issue of compliance with password policy in enterprises is usually solved by various technical means.

In order to monitor compliance with the password policy in Zimbra, no third-party applications are required. This can be achieved with built-in tools.
')
First you need to figure out how password management in Zimbra works. At the time of creating a new account, the administrator assigns it a temporary password. After that, the user will be able to independently log into the account and change the password. All passwords are stored in encrypted form on the server with Zimbra and due to this, even the server administrator is inaccessible. That is why in case the user forgets the password, he will have to create a new one. Recall that until recently, to create a new password, the administrator was required, but the latest version of Zimbra Creative Suite 8.8.9 added the ability for users to set a new password on their own.


Password policy settings can be found in the settings of individual users and user groups. You can customize:

• Password length - allows you to set the minimum and maximum password length. By default, the minimum password length is 6 characters, and the maximum - 64.
• Password aging - allows you to set the time after which the password becomes invalid. Users do not have to wait for the password to expire, it can be replaced before it expires
• Minimum upper case characters - allows you to set the minimum number of capital letters used in the password
• Minimum lower case characters - allows you to set the minimum number of lowercase letters used in the password
• Minimum numeric characters - allows you to set the minimum number of digits from 0 to 9 used in the password
• Minimum punctuation symbols - allows you to set the minimum number of punctuation marks and special characters used in the password
• Enforce password history - allows you to set the number of memorized passwords so that the user does not periodically use duplicate passwords
• Password locked - this option allows you to prevent the user from changing the password.
• Enable failed log in lockout - this option allows you to configure the system to respond to the wrong password

As you can see, the password settings in Zimbra are quite flexible and able to adapt to the password policy in virtually any enterprise. In addition, by using an unpretentious script, you can configure sending reminders to users that their password will expire soon. Thanks to this reminder, the employee will be able to change the password in a relaxed atmosphere, while the mail that does not open in the morning at the employee who missed the password change time can adversely affect its effectiveness.

In order for this script to work, you need to copy it to a file and make this file executable. It is recommended to automate the execution of this script using Cron so that it notifies daily users who have not updated the password for a long time that it will soon stop working. In addition, in the script instead of zimbra.server.com you need to substitute the name of your own domain.

#!/bin/bash #   : #      ,   : FIRST="3" LAST="1" #   : FROM="admin@zimbra.server.com" #   ,           ADMIN_RECIPIENT="admin@zimbra.server.com" #      Sendmail SENDMAIL=$(ionice -c3 find /opt/zimbra/common/sbin/sendmail* -type f -iname sendmail) #    . USERS=$(ionice -c3 /opt/zimbra/bin/zmprov -l gaa $DOMAIN) #      : DATE=$(date +%s) #    : for USER in $USERS do # ,     USERINFO=$(ionice -c3 /opt/zimbra/bin/zmprov ga "$USER") PASS_SET_DATE=$(echo "$USERINFO" | grep zimbraPasswordModifiedTime: | cut -d " " -f 2 | cut -c 1-8) PASS_MAX_AGE=$(echo "$USERINFO" | grep "zimbraPasswordMaxAge:" | cut -d " " -f 2) NAME=$(echo "$USERINFO" | grep givenName | cut -d " " -f 2) # ,     ,       . if [[ "$PASS_MAX_AGE" -eq "0" ]] then continue fi #      EXPIRES=$(date -d "$PASS_SET_DATE $PASS_MAX_AGE days" +%s) # ,         DEADLINE=$(( (($DATE - $EXPIRES)) / -86400 )) #    SUBJECT="$NAME -      $DEADLINE " BODY=" , $NAME,       $DEADLINE , ,     .           Zimbra.  .  , IT- " #   if [[ "$DEADLINE" -eq "$FIRST" ]] then echo "Subject: $SUBJECT" "$BODY" | $SENDMAIL -f "$FROM" "$USER" echo "Reminder email sent to: $USER - $DEADLINE days left" #   elif [[ "$DEADLINE" -eq "$LAST" ]] then echo "Subject: $SUBJECT" "$BODY" | $SENDMAIL -f "$FROM" "$USER" echo "Reminder email sent to: $USER - $DEADLINE days left" # Final elif [[ "$DEADLINE" -eq "1" ]] then echo "Subject: $SUBJECT" "$BODY" | $SENDMAIL -f "$FROM" "$USER" echo "Last chance for: $USER - $DEADLINE days left" fi done 

Thus, we can say that the Zimbra Collaboration Suite is quite suitable even for those enterprises that have a strict password policy, and thanks to the built-in functions, it will be quite simple to get its strict implementation from employees.