All Zimbra domain administrator should read this quick blog post on email security: https://xmission.com/blog/2017/10/17/best-practices-for-zimbra-email-security

Changing your end-user mailbox password through the Zimbra domain admin control panel is easy, but first let's review XMission password best practices.

XMission Zimbra Password requirements:

XMission recommends secure passphrases consisting of five to six words, with a few special characters and numbers, since they can be much easier to remember.

• Ideally it is best to use longer, more complex passphrases to properly protect your mailboxes, and your company, from hackers. Our Zimbra system supports passwords up to 128 characters. We advise using a minimum passphrase length of 12-15 characters with 25-28 characters providing very reasonable security.
• Shorter passwords require use of at least 1 of the following: UPPER CASE letter, lower case letter, special characters, and a numeral to meet minimum security requirements.
• Passwords expire after 1 year and must be changed at that time. Changing more frequently is advised.
• You cannot re-use your current password.
• Please allow 15 minutes for the new password to propagate through the system.
• Write credentials down in a secure place until you memorize it then destroy the note.
• Here is a quick and easy to understand visual tutorial on password security: https://xkcd.com/936/

Three ways to change passwords from domain admin control panel:

• Inside the control panel main page click on "Manage" in left column. Right-mouse click on the mailbox name to reveal a drop down menu, select "Change password."
• Inside the control panel main page click on "Manage" in left column and highlight a mailbox. Now right-mouse click on the gear icon in the top right corner. Select "Change password".
• Inside the control panel main page click on "Manage" in left column and double click on the desired mailbox. When it opens the settings page of the mailbox use the "Password" area to change the password.

NOTE: XMission Zimbra servers will allow a password as short as 12 characters. Short passwords are poor security. Please take the time to protect your company email data buy using a passphrase in the 25-28 character length.

Password Expiration and Failed Login Attempts

Please note the following details about XMission's email password expiration and failed login attempts policy.

Should you ever have an end-user mailbox that is not allowing login there are two primary reasons for this.

• The password has expired.
• There have been too many failed login attempts to the account causing it to be temporarily suspended.

Expired Password

All XMission email passwords must be changed once yearly. XMission sends email notices to the user mailbox 2 (two) weeks before expiration. Please ask your mailbox owners to change their password in a timely manner.

Domain administrators are *not* emailed about the user mailbox need to change their password. Repeat, domain administrators are not emailed about password expirations.

Failed Login Attempt - Mailbox Access Suspension

Failed login attempt account suspension practices are a way to safeguard mailboxes from brute force attacks where a bad actor is trying to access the sensitive information inside. XMission protects customer mailboxes by temporarily suspending mail accounts with too many failed login attempts. This prevents new logins and halts all access on active mail sessions. Incoming email is not restricted.

If you, or another entity, are trying to access the account with too many failed password attempts within the monitoring cycle, the system blocks access for a short period of time, after which you can again attempt to authenticate with correct credentials.

Failed login attempt definition: Improper entry of a password for a valid mailbox.

How failed login attempts are measured and enforced: When the first failed login attempt occurs, the monitoring cycle begins. Thereafter, each time a unique wrong password fails, that adds to the count.

It is important to note that when the same wrong password is used, from any number of IP addresses or devices, it only counts as one (1) failed login attempt.

During the monitoring cycle, if additional failed login attempts are made using a different password from the original attempt, it add to the failed login attempt total. IE: Bad password "A" activates monitoring period. A second unique password "B" is used bringing the total to two (2) failed attempts. If password "A" is used again, it counts as another new unique password totaling three (3) failed attempts.

Once the maximum number of failed attempts is reached, access to the mailbox is temporarily suspended.

Troubleshooting

Mailbox accounts having failed login issues appear to have the same symptoms as an expired password. The way to test is to access webmail, https://zimbra.xmission.com  with your credentials. If the password is expired it will prompt you to set a new password immediately. If the account is locked out, it will simply not validate with the credentials until the suspension period ends.

If an account is temporarily suspended for too many failed password attempts you need to either wait for the suspension period to pass, reset the mailbox status to active in the domain admin panel, or contact XMission Support to have the suspension manually removed.

Domain administrators can change mailbox status and passwords via the domain admin interface.

NOTE: Use of Two-Factor Authentication (2FA) does not prevent account suspension due to failed authentication attempts.