ProHoster > Blog > Administration > Configuring a Password Security Policy in Zimbra

Configuring a Password Security Policy in Zimbra

Along with email encryption and the use of digital signatures, one of the most effective and cost-effective ways to protect email from hacking is a good password security policy. Passwords written down on paper, stored in public files, or simply not strong enough are always a big breach in the information security of an enterprise and can lead to serious incidents with tangible business consequences. That is why any enterprise should have a strict password security policy.

Configuring a Password Security Policy in Zimbra

However, any security officer knows that a password policy will only bring results if it not only exists, but is strictly observed by everyone, or at least by key employees of the organization. Achieving this is harder than it looks. Already heavily loaded employees constantly forget about the need to change the password, or follow the path of least resistance, each time making the password easier and simpler, thus nullifying the whole effect. That is why the issue of compliance with the password policy in enterprises is usually solved by various technical means.

Zimbra does not require any third-party applications to enforce password policy. This can be achieved using built-in tools.

First, it’s worth understanding how password management works in Zimbra. When a new account is created, it is assigned a temporary password by the administrator. After that, the user will be able to independently log into the account and change the password. All passwords are stored in encrypted form on the server with Zimbra and due to this they are inaccessible even to the server administrator. That is why if the user forgets the password, he will have to create a new one. Recall that until recently, creating a new password required the participation of an administrator, but the latest version of Zimbra Creative Suite 8.8.9 added the ability for users to set a new password themselves.

Configuring a Password Security Policy in Zimbra
Password policy settings can be found in the settings for individual users and user groups. You can set up:

  • Password length - allows you to set the minimum and maximum password length. By default, the minimum password length is 6 characters and the maximum is 64.
  • Password aging - allows you to set the time after which the password becomes invalid. Users do not have to wait for the password to expire, they can be changed before the password expires
  • Minimum upper case characters - allows you to set the minimum number of upper case characters used in the password
  • Minimum lower case characters - allows you to set the minimum number of lower case characters used in the password
  • Minimum numeric characters - allows you to set the minimum number of digits from 0 to 9 used in the password
  • Minimum punctuation symbols - allows you to set the minimum number of punctuation marks and special characters used in the password
  • Enforce password history - allows you to set the number of passwords to remember so that the user does not periodically use repeated passwords
  • Password locked - this option allows you to prevent the user from changing the password
  • Enable failed log in lockout - this option allows you to configure the system reaction to entering an incorrect password

As you can see, the password settings in Zimbra are quite flexible and able to adapt to the password policy in almost any enterprise. In addition, by using a simple script, you can send reminders to users that their password is about to expire. Thanks to such a reminder, the employee will be able to change the password in a relaxed atmosphere, while the mail that does not open in the morning at the employee who missed the moment of changing the password can adversely affect his efficiency.

In order for this script to work, you need to copy it to a file and make this file executable. It is recommended to automate the execution of this script using Cron so that it notifies users who have not updated their password daily that it will soon stop working. In addition, in the script, instead of zimbra.server.com, you must substitute the name of your own domain.

#!/bin/bash
# Π—Π°Π΄Π°Π΅ΠΌ ряд ΠΏΠ΅Ρ€Π΅ΠΌΠ΅Π½Π½Ρ‹Ρ…:
# Π‘ΠΏΠ΅Ρ€Π²Π° количСство Π΄Π½Π΅ΠΉ для ΠΏΠ΅Ρ€Π²ΠΎΠ³ΠΎ напоминания, Π·Π°Ρ‚Π΅ΠΌ для послСднСго:
FIRST="3"
LAST="1"
# Π—Π°Π΄Π°Π΅ΠΌ адрСс отправитСля:
FROM="[email protected]"
# Π—Π°Π΄Π°Π΅ΠΌ адрСс получатСля, ΠΊΠΎΡ‚ΠΎΡ€Ρ‹ΠΉ Π±ΡƒΠ΄Π΅Ρ‚ ΠΏΠΎΠ»ΡƒΡ‡Π°Ρ‚ΡŒ письмо со списком Π°ΠΊΠΊΠ°ΡƒΠ½Ρ‚ΠΎΠ² с ΠΈΡΡ‚Π΅ΠΊΡˆΠΈΠΌΠΈ паролями
ADMIN_RECIPIENT="[email protected]"
# Π£ΠΊΠ°Π·Ρ‹Π²Π°Π΅ΠΌ ΠΏΡƒΡ‚ΡŒ ΠΊ исполняСмому Ρ„Π°ΠΉΠ»Ρƒ Sendmail
SENDMAIL=$(ionice -c3 find /opt/zimbra/common/sbin/sendmail* -type f -iname sendmail)
# ΠŸΠΎΠ»ΡƒΡ‡Π°Π΅ΠΌ список всСх ΠΏΠΎΠ»ΡŒΠ·ΠΎΠ²Π°Ρ‚Π΅Π»Π΅ΠΉ.
USERS=$(ionice -c3 /opt/zimbra/bin/zmprov -l gaa $DOMAIN)
# Π£ΠΊΠ°Π·Ρ‹Π²Π°Π΅ΠΌ Π΄Π°Ρ‚Ρƒ с Ρ‚ΠΎΡ‡Π½ΠΎΡΡ‚ΡŒΡŽ Π΄ΠΎ сСкунды:
DATE=$(date +%s)
# ΠŸΡ€ΠΎΠ²Π΅Ρ€ΡΠ΅ΠΌ ΠΊΠ°ΠΆΠ΄ΠΎΠ³ΠΎ ΠΈΠ· Π½ΠΈΡ…:
for USER in $USERS
 do
# Π£Π·Π½Π°Π΅ΠΌ, ΠΊΠΎΠ³Π΄Π° Π±Ρ‹Π» установлСн ΠΏΠ°Ρ€ΠΎΠ»ΡŒ
USERINFO=$(ionice -c3 /opt/zimbra/bin/zmprov ga "$USER")
PASS_SET_DATE=$(echo "$USERINFO" | grep zimbraPasswordModifiedTime: | cut -d " " -f 2 | cut -c 1-8)
PASS_MAX_AGE=$(echo "$USERINFO" | grep "zimbraPasswordMaxAge:" | cut -d " " -f 2)
NAME=$(echo "$USERINFO" | grep givenName | cut -d " " -f 2)
# ΠŸΡ€ΠΎΠ²Π΅Ρ€ΡΠ΅ΠΌ, Π½Π΅Ρ‚ Π»ΠΈ срСди ΠΏΠΎΠ»ΡŒΠ·ΠΎΠ²Π°Ρ‚Π΅Π»Π΅ΠΉ Ρ‚Π΅Ρ…, Ρƒ ΠΊΠΎΠ³ΠΎ срок дСйствия пароля ΡƒΠΆΠ΅ истСк.
if [[ "$PASS_MAX_AGE" -eq "0" ]]
then
  continue
fi
# ВысчитываСм Π΄Π°Ρ‚Ρƒ окончания дСйствия ΠΏΠ°Ρ€ΠΎΠ»Π΅ΠΉ
EXPIRES=$(date -d  "$PASS_SET_DATE $PASS_MAX_AGE days" +%s)
# Π‘Ρ‡ΠΈΡ‚Π°Π΅ΠΌ, сколько Π΄Π½Π΅ΠΉ ΠΎΡΡ‚Π°Π»ΠΎΡΡŒ Π΄ΠΎ окончания срока дСйствия пароля
DEADLINE=$(( (($DATE - $EXPIRES)) / -86400 ))
# ΠžΡ‚ΠΏΡ€Π°Π²Π»ΡΠ΅ΠΌ письмо ΠΏΠΎΠ»ΡŒΠ·ΠΎΠ²Π°Ρ‚Π΅Π»ΡΠΌ
SUBJECT="$NAME - Π’Π°Ρˆ ΠΏΠ°Ρ€ΠΎΠ»ΡŒ станСт Π½Π΅Π΄Π΅ΠΉΡΡ‚Π²ΠΈΡ‚Π΅Π»ΡŒΠ½Ρ‹ΠΌ Ρ‡Π΅Ρ€Π΅Π· $DEADLINE Π΄Π½Π΅ΠΉ"
BODY="
ЗдравствуйтС, $NAME,
ΠŸΠ°Ρ€ΠΎΠ»ΡŒ вашСго Π°ΠΊΠΊΠ°ΡƒΠ½Ρ‚Π° станСт Π½Π΅Π΄Π΅ΠΉΡΡ‚Π²ΠΈΡ‚Π΅Π»ΡŒΠ½Ρ‹ΠΌ Ρ‡Π΅Ρ€Π΅Π· $DEADLINE Π΄Π½Π΅ΠΉ, ΠŸΠΎΠΆΠ°Π»ΡƒΠΉΡΡ‚Π°, создайтС Π½ΠΎΠ²Ρ‹ΠΉ ΠΊΠ°ΠΊ ΠΌΠΎΠΆΠ½ΠΎ скорСС.
Π’Ρ‹ ΠΌΠΎΠΆΠ΅Ρ‚Π΅ Ρ‚Π°ΠΊΠΆΠ΅ ΡΠΎΠ·Π΄Π°Ρ‚ΡŒ Π½Π°ΠΏΠΎΠΌΠΈΠ½Π°Π½ΠΈΠ΅ ΠΎ смСнС пароля Π² ΠΊΠ°Π»Π΅Π½Π΄Π°Ρ€Π΅ Zimbra.
Π—Π°Ρ€Π°Π½Π΅Π΅ спасибо.
Π‘ ΡƒΠ²Π°ΠΆΠ΅Π½ΠΈΠ΅ΠΌ, IT-ΠΎΡ‚Π΄Π΅Π»
"
# ΠŸΠ΅Ρ€Π²ΠΎΠ΅ ΠΏΡ€Π΅Π΄ΡƒΠΏΡ€Π΅ΠΆΠ΄Π΅Π½ΠΈΠ΅
if [[ "$DEADLINE" -eq "$FIRST" ]]
then
	echo "Subject: $SUBJECT" "$BODY" | $SENDMAIL -f "$FROM" "$USER"
	echo "Reminder email sent to: $USER - $DEADLINE days left"
# ПослСднСС ΠΏΡ€Π΅Π΄ΡƒΠΏΡ€Π΅ΠΆΠ΄Π΅Π½ΠΈΠ΅
elif [[ "$DEADLINE" -eq "$LAST" ]]
then
	echo "Subject: $SUBJECT" "$BODY" | $SENDMAIL -f "$FROM" "$USER"
	echo "Reminder email sent to: $USER - $DEADLINE days left"
# Final
elif [[ "$DEADLINE" -eq "1" ]]
then
    echo "Subject: $SUBJECT" "$BODY" | $SENDMAIL -f "$FROM" "$USER"
	echo "Last chance for: $USER - $DEADLINE days left"
fi
done

Thus, we can say that Zimbra Collaboration Suite is quite suitable even for those enterprises that have implemented a strict password policy, and thanks to the built-in functions, it will be quite simple to achieve its strict implementation from employees.

For all questions related to Zextras Suite, you can contact the Representative of Zextras company Katerina Triandafilidi by e-mail [email protected]

Source: habr.com

Add a comment