(Last Updated On: March 15, 2018)

In this guide, we’ll look at all the modification you need to Set Password Policy on Zimbra server. By default, Zimbra doesn’t enforce any strong password requirements for a user account. This poses a risk of the account being compromised and ultimately used for spamming.

How to Set Password Policy on Zimbra

So you have a Zimbra server in production ready to use? follow this guide on how to set this up. The first thing you’ll possibly do is check your current password settings on the Zimbra server. This is done using the commands:

$ su - zimbra
$ zmprov gac -v | grep Password | sort | uniq
zimbraFeatureChangePasswordEnabled: TRUEzimbra
MobilePolicyAllowSimpleDevicePassword: FALSE
zimbraMobilePolicyAlphanumericDevicePasswordRequired: FALSEzimbraMobilePolicyDevicePasswordEnabled: TRUE
zimbraMobilePolicyDevicePasswordExpiration: 0zimbraMobilePolicyDevicePasswordHistory: 8
zimbraMobilePolicyMaxDevicePasswordFailedAttempts: 4
zimbraMobilePolicyMinDevicePasswordComplexCharacters: 0
zimbraMobilePolicyMinDevicePasswordLength: 4
zimbraMobilePolicyPasswordRecoveryEnabled: TRUE
zimbraPasswordEnforceHistory: 0
zimbraPasswordLocked: FALSE
zimbraPasswordLockoutDuration: 1h
zimbraPasswordLockoutEnabled: FALSE
zimbraPasswordLockoutFailureLifetime: 1h
zimbraPasswordLockoutMaxFailures: 10
zimbraPasswordMaxAge: 0
zimbraPasswordMaxLength: 64
zimbraPasswordMinAge: 0
zimbraPasswordMinAlphaChars: 0
zimbraPasswordMinDigitsOrPuncs: 0
zimbraPasswordMinLength: 6
zimbraPasswordMinLowerCaseChars: 0
zimbraPasswordMinNumericChars: 0
zimbraPasswordMinPunctuationChars: 0
zimbraPasswordMinUpperCaseChars: 0
zimbraPasswordMinUpperCaseChars: 1

The key items you might want to be keen on are:

zimbraPasswordMaxAge: Set the maximum time the password will remain valid.:
zimbraPasswordLockoutMaxFailures: The number of failed login attempts.
zimbraPasswordMinLength: The minimum length of the password
zimbraPasswordMinNumericChars: The minimum number of numeric characters in the password.
zimbraPasswordMinUpperCaseChars: The minimum number of uppercase character required in a password.

Set strong Password policy on Zimbra

Now that you have seen the key parameters we need to modify, let’s apply them to the server. My settings will be:

zimbraPasswordMaxAge: 90 --> In days
zimbraPasswordMinLength: 7
zimbraPasswordLockoutMaxFailures: 5
zimbraPasswordMinNumericChars: 1
zimbraPasswordMinUpperCaseChars: 1

Changing password policy settings on Zimbra Admin web interface.

If you’re not a terminal-centric person, you can consider making these changes on the web UI. To do so, navigate to:

Home > Configure > Class of Service > default | defaultExternal > Advanced

On the page, there is a section for password policy modification:

Change the values to your liking and click on the save button once you’re done.

Changing password policy settings on Zimbra CLI.

You can as well change the settings from the CLI. The syntax for this is:

$ zmprov mc <cos-name> <parameter> <value>

If you don’t know your list of class of service, check with the command:

$ zmprov gac
default
defaultExternal

For more details about a particular cos, use:

$ zmprov gc default

Example:

To ensure there is an uppercase character and a number on the password, use:

$ sudo su - zimbra
$ zmprov mc default zimbraPasswordMinNumericChars 1
$ zmprov mc default zimbraPasswordMinUpperCaseChars 1
$ zmprov mc default zimbraPasswordLockoutMaxFailures 5

Follow the same syntax for all other parameters which can be changed.

For more details about how to use the class of service settings on Zimbra, check the help page.

$ zmprov help cos

copyCos(cpc) {src-cos-name|id} {dest-cos-name}
createCos(cc) {name} [attr1 value1 [attr2 value2...]]
deleteCos(dc) {name|id}
getAllCos(gac) [-v]
getCos(gc) {name|id} [attr1 [attr2...]]
modifyCos(mc) {name|id} [attr1 value1 [attr2 value2...]]
renameCos(rc) {name|id} {newName}

Conclusion

Hope this guide on how to Set Password Policy on Zimbra was helpful. If you have other ideas on hardening Zimbra server, please let me know. I’ll definitely add to the guide.

Other Zimbra Articles on this blog:

Managing Distribution Lists on Zimbra Mail Server

Configure whitelist and blacklist Zimbra Amavis Spam filtering

Zimbra Firewall Configuration with ufw for Ubuntu and firewalld for CentOS