Zimbra Server Admin Tip: Mailbox Password Migration and Server Settings Comparison
Mail server administration is not easy. That is why, for over 8 years, XMission has provided Zimbra Email & Collaboration services for thousands of businesses that don’t have the time and resources to manage their own mail server. We also sell Zimbra server licensing for those that do have the resources. This post will focus on the latter.
While your licensing support is provided directly from the support team at Zimbra.com we still get plenty of questions after the sale. The most common questions deal with user data migration, particularly on how to transfer user passwords, and how to compare settings from an old server to a new server when upgrading.
This post is a bit more technical than most of our power tips, but will be very helpful for many Zimbra admins looking to have a smooth transition. I’m assuming that the reader has working knowledge of Linux systems as well as some experience with Zimbra servers. Throughout this post I will use “example.tld” in place of your domain name.
Let’s start with how to transfer password credentials, because requiring an immediate password change at server transition time only fuels end-user anxiety and increases your workload.
USER PASSWORD MIGRATION
Admins often worry that they can’t transfer passwords between servers. Let me put your mind at ease: it is possible to transfer mailbox passwords from one Zimbra server to another. Now, relax, and I will explain how to do this.
Inside Zimbra, the password crypts are stored in the “userPassword” attribute on an account. Crypts can be copied from one install to another to preserve account passwords across Zimbra installations. Depending on the crypt format, it’s also possible to use crypts from a non-Zimbra mail server. (This is a trick we use when migrating new hosted Zimbra customers to our service from other providers.)
You can access crypts in the userPassword attribute via either the zmprov tool or directly through Zimbra’s LDAP. Let’s discuss how to use zmprov. The attribute is accessed almost like any other account attribute, however, it will only print the crypt when getting account information with ‘-l’.
The zmprov command-line tool performs all provisioning tasks in Zimbra LDAP, including creating accounts, aliases, domains, CoS, distribution lists, and calendar resources.
Here is an example command:
zimbra@oldserver:~# zmprov -l ga user@example.tld userPassword
# name user@example.tld
userPassword: {SSHA}ZPyiP3Rt8OJHiwNgZJkhT/0ZifRJdW+M
So the crypt for this user is ‘{SSHA}ZPyiP3Rt8OJHiwNgZJkhT/0ZifRJdW+M’. You
can transfer this user’s password to any other account by copying this crypt:
zimbra@newserver:~# zmprov ma user@example.tld userPassword '{SSHA}ZPyiP3Rt8OJHiwNgZJkhT/0ZifRJdW+M'
Note that ‘-l’ isn’t needed when *setting* the userPassword attribute.
The zmprov tool supports piping commands into standard input, so you can actually create a file with a list of commands to do mass changes. If the file looked like this:
ma user1@example.tld userPassword '{SSHA}ZPyiP3Rt8OJHiwNgZJkhT/0ZifRJdW+M'
ma user2@example.tld userPassword '{SSHA}4bha2xATPc35uz3QFp1CPLxhG9d2q8r8'
you could then pipe the file to zmprov, and set the passwords for both of these users.
Next up, how not to miss a critical detail.
COMPARING AN OLD SERVER TO NEW SERVER
It can be useful to compare settings between the old server and the new server for any number of reasons. Some of the critical components you check may revolve around Class of Service (CoS) settings, backup schedules, or you may have critical settings around how LDAP is handled for your end users.
The following tools can be run from the command line on the Zimbra server(s) to output data for easy review:
zmlocalconfig
Zimbra.com zmlocalconfig document
zmprov gs servername.example.tld
If all the mail accounts are migrated, you can run the following command on both servers to get mailbox size and message count for every account.
zmprov -l gaa | awk '{ print "sm " $1 }' | zmmailbox -z | egrep "^mailbox"
Zimbra has a lot of attributes, so you will want to use a tool that compares the contents of the two files, ie diff, such as vimdiff. It prints all the lines, side-by-side, hides all that are the same, and makes it very easy to go attribute-by-attribute checking for differences.
I hope you found this post useful. Please, share this post with your tech friends, co-workers, and social networks by clicking on the social media icons below.
You can post any questions in the comments below and I will respond.
When you need Zimbra licensing for your on-site server, or are considering Zimbra Professional Services to help with your install, please contact me for a quote.
John Webster, VP of Business Development and Zimbra Email Product Manager, has worked at XMission for over 19 years doing his favorite thing: helping companies communicate with customers through technology to grow their business. When he’s not uncovering Zimbra’s secrets you might find him in our beautiful Utah mountains. Connect with him on LinkedIn today!
Google Fiber in Salt Lake City. Is Colocation Right for Your Enterprise?
Comments are currently closed.
John – great article, thank you!
Just what i was looking for! Thank you!
I love the Admin Tips that you are sharing, this one is really useful.
Thank you very much !
Hi, Thanks for this article but I’m trying to migrate password and it doesn’t work.
Do you do another thing after the zmprov command ?
Thanks.
Hello Nicolas, This is is the best method we know. Unsure what might be underlying cause of this not working for you. Please verify all the conditions and try again or you can contact the support team at Zimbra. – Best, John