Skip to content

Latest commit

 

History

History
633 lines (479 loc) · 21.6 KB

managingaccounts.adoc

File metadata and controls

633 lines (479 loc) · 21.6 KB

Managing User Accounts

Table of Contents

Status of User Accounts

Admin Console:

Home → Manage → Accounts

The status of an account determines whether a user can log in and receive mail. The account status is displayed on the Accounts pane of the Administration Console.

Table 1. Status - User Accounts
Status Description

Active

The normal state for a mailbox account. Mail is delivered and users can log in to the client interface.

Maintenance

Logging is disabled and any mail addressed to this account is queued at the MTA.

Note that this state is automatically set for the account during a backup or when importing/exporting/ restoring the account.

Pending

Assignment for an account when it is created but not yet ready to become active. While pending, the login is disabled and messages are bounced.

Locked

The user cannot log in but mail continues to be delivered to the account. The locked state can be set if you suspect that a mail account has been compromised (used in an unauthorized manner).

Closed

Login is disabled and messaged are bounced. This status is used to soft-delete the account before deleting it from the server. A closed account does not change the account license.

LockOut

The automatic state that occurs if the user attempts to log in with an incorrect password. A LockOut cannot be administratively assigned but will occur after the number of user attempts exceeds the configured number of attempts allowed. The duration of the lockout is also configurable.

The administrator can remove the locked out status at any time.

Deleting an Account

Admin Console:

Home → Manage → Accounts

You can delete accounts from the Administration Console. This removes the account from the server, deletes the messages in the message store, and changes the number of accounts used against your license.

Tip
 Before you delete an account, run a full backup of that account to save the account information. See also Backup and Restore.

Viewing an Accounts Mailbox

You can view a selected account’s mailbox content, including all folders, calendar entries, and tags from the Administration Console.

Admin Console:

Home → Manage → Accounts → account

Select an account, from the Gear icon select View Mail. The user’s {product-short} account opens in a new browser window.

This feature can be used to assist users who are having trouble with their mail account as you and the account user can be logged on to the account at the same time.

Any View Mail action to access an account is logged to the audit.log file.

Using an Email Alias

An email alias is an email address that redirects all mail to a specified mail account. An alias is not an email account. Each account can have unlimited numbers of aliases.

When you select Aliases from the Manage Aliases navigation pane, all aliases that are configured are displayed in the content pane. You can create an alias, view the account information for a specific alias, move the alias from one account to another, and delete the alias.

Working with Distribution Lists

A distribution list is a group of email addresses contained in a list with a common email address. When users send to a distribution list, they are sending the message to everyone whose address is included in the list. The address line displays the distribution list address; the individual recipient addresses cannot be viewed.

You can create distribution lists that require an administrator to manage the member list and you can create dynamic distribution lists that automatically manages adding and deleting members in the list. For more information about dynamic distribution lists, see Using Dynamic Distribution Lists.

You can see which distribution lists a user is a member of from the user’s account "Member of" page. When a Zimbra user’s email address is added to a distribution list, the user’s account Member Of page is updated with the distribution list name. When a distribution list is deleted, the distribution list name is automatically removed from the account’s "Member Of" page.

Setting Subscription Policies for Distribution Lists

Subscription policies can be set up to manage a distribution list’s membership. Owners of the list manage the subscription policy from the Properties page of a distribution list.

Distribution Option Description

New Subscription Requests

  • Automatically accept — Membership is open to anyone who subscribes.

  • Require list owner approval —  To subscribe, users send an email to the owner of the distribution list and the owner replies to this email request.

  • Automatically reject — No one can be added to this distribution list.

Unsubscription Requests

  • Automatically accept —  Anyone can remove their name from the list.

  • Require list owner approval — To be removed from the distribution list, users send an email to the owner. The owner must accept the email request to remove the name.

  • Automatically reject — Users cannot remove themselves from the list.

Management Options for Owners of Distribution Lists

You can add owners to distribution lists and they manage the list from their {product-short} account’s Address Book, Distribution List folder. Owners of a list can right-click a distribution list and click the Edit Group link to edit a list.

Besides adding and deleting members, distribution list properties that owners can configure include:

  • Marking the list as private so it is hidden in the Global Address List

  • Managing who can send messages to the list

  • Setting a member subscription policy

  • Adding additional owners

Creating a Distribution List

Use steps in this section to create a distribution list:

Admin Console:

Home → Manage → Distribution Lists

  1. From the Gear icon, click New.

  2. On the Members page, add the distribution list name. Do not use spaces. The other fields are optional.

  3. Find members to add to the distribution list in the right column. Select the members to add and click Add Selected. If you want to add all addresses on the page, click Add This Page. If you want to add members that are not in the company list, in the Or enter addresses below section, type a complete mail address.

  4. Click Next to configure the Properties page.

    Table 2. Distribution Properties Options
    Distribution Properties Options Description

    Can receive mail

    Enabled by default. If this distribution list should not receive mail select this box.

    Hide in GAL

    Enable to create distribution lists that do not display in the Global Address List (GAL). You can use this feature to limit the exposure of the distribution list to only those that know the address.

    Mail Server

    This is set to auto by default. To select a specific mail server, uncheck auto and select a specific server from the list.

    Dynamic Group

    If you check this box, the Member URL field displays and you create a dynamic distribution list.

    New Subscription Requests

    Select from:

    • Automatically accept

    • Require list owner approval

    • Automatically reject

    Unsubscription Requests

    Select from:

    • Automatically accept

    • Require list owner approval

    • Automatically reject

  5. In the Members Of page, select distribution lists that should be direct or indirect members of the list.

  6. If the distribution list should have an alias, create it.

  7. If this distribution list can be managed by other users, enter these email addresses in the Owners page.

  8. Set how messages received to the distribution list should be replied to.

  9. Click Finish. The distribution list is enabled and the URL is created.

Managing Access to Distribution Lists

After a distribution list is created, you can manage who can view members of a distribution list and who can send messages to a distribution list. The default is all users have access to all distribution lists. This section describes how to use the CLI to manage access.

To limit who can access distribution lists, grant rights to individual users on a domain or if you want only members of a domain to access distribution lists, you can grant rights on the domain. When you grant the right on the domain, all distribution lists on the domain inherit the grant.

You can grant the right on individual distribution lists and configure specific users that are allowed to access the distribution list.

You can restrict access to a distribution list from the CLI zmprov grantRight (grr) command.

Note
 For more information about how granting rights works, see Delegated Administration.

Who Can View Members of a Distribution List

The default is that all users can view members addresses in a distribution list. A distribution list address displays a + in the address bubble. Users can click on this to expand the distribution list. A list of the addresses in the distribution list is displayed. Users can select individual addresses from the expanded list.

Restricting who can view addresses in a distribution list to individuals or to a domain:

  • For individual users:

    zmprov grr domain <domain_name> usr <[email protected]> viewDistList

  • For all users in a domain:

    zmprov grr domain <domain_name> dom <example.com> viewDistList

  • To grant rights on a distribution list and let specific users view the list:

    zmprov grr dl <[email protected]> usr <[email protected]>

Who Can Send to a Distribution List

The default is that all users can send messages to all distribution lists. You can grant rights to a distribution list or to a domain that defines who can send messages to a distribution list. When users attempt to send to a distribution list that they are not authorized to use, a message is sent stating that they are not authorized to send messages to the recipient distribution list.

Note
 The Milter Server must be enabled from Home → Configure → Global Settings → MTA.

Restricting who can send messages to a distribution list to individuals or to a domain:

  • Granting rights to an individual user in a domain to send messages to all distribution lists.

    zmprov grr domain <domain_name> usr <[email protected]> sendToDistList

  • Granting rights to all users in a domain to send messages to all distribution lists.

    zmprov grr domain <domain_name> dom <example.com> sendToDistList

Restricting access and to remove the restriction to individual distribution lists for different user types.

Enabling View of Distribution List Members for AD Accounts

To view Active Directory distribution list members in messages or in the address book, the GAL group handler for Active Directory must be configured in the {product-abbrev} GALsync account for each Active Directory.

Use steps in this section to update the GALsync account for each Active Directory. This configuration requires that you know the GALsync account name and all data sources on that GALsync account.

  1. Display the Zimbra ID of the GAL sync account:

    zmprov gd {domain} zimbraGalAccountId

    To find the name:

    zmprov ga {zimbraId-of-the-GAL-sync-account} name

  2. Display data sources for the GALsync account:

    zmprov gds {gal-sync-account-name-for-the-domain}

  3. Enable the group handler for the Active Directory:

    zmprov mds {gal-sync-account-name-for-the-domain} {AD-data-source-name} \
 zimbraGalLdapGroupHandlerClass com.zimbra.cs.gal.ADGalGroupHandler

Using Dynamic Distribution Lists

Dynamic distribution lists automatically manage their membership. Users are added and removed from the distribution list automatically. When you create a dynamic distribution list, a member URL is specified. This member URL is used to identify who should be members of the list. You can view this URL from the Administration Console distribution list’s Properties page.

You can create dynamic distribution lists from the Administration Console or from the CLI. In the URL, you specify specific object classes that identify the type of users to be added to the dynamic distribution list. For example, you can configure a dynamic distribution list with the object class= zimbraAccount. In this case, when accounts are provisioned or accounts are deleted, the dynamic distribution list is updated.

You can create dynamic distribution lists for all mobile users or POP/IMAP users.

You can modify a distribution list to change the filter rules. When you modify a distribution list, the members in the list are changed to reflect the new rule.

Create Dynamic Distribution Lists

You can create a dynamic distribution list with the admin console or with the CLI, as described in this section.

Admin Console:

Home → Manage → Distribution Lists.

  1. From the Gear icon, click New.

  2. On the Members page, add the dynamic distribution list name. Do not use spaces. Do not add members to the list.

  3. Click Next to configure the Properties page.

    Table 3. Dynamic Distribution Lists Options
    Option Description

    Can receive mail

    Enabled by default. If this distribution list should not receive mail select this box.

    Hide in GAL

    Enable to create distribution lists that do not display in the Global Address List (GAL). You can use this feature to limit the exposure of the distribution list to only those that know the address.

    Mail Server

    This is set to auto by default. To select a specific mail server, uncheck auto and select a specific server from the list.

    Dynamic Group

    Check this box.

    Can be used in right management

    Uncheck this box.

    Member URL

    The Member URL is an LDAP-type URL defining a filter that determines which users are added to and removed from the list.

    Type the URL for this list. In the command, ldap://??sub? is the URL. You can add any combination of filters to this to create different types of dynamic distribution lists.

    Example 1. All users, GAL account names, and spam/ham account list
    ldap:///??sub?(objectClass=zimbraAccount)
    Example 2. Delegated administrators list
    ldap:///??sub?(&(objectClass=zimbraAccount)(zimbraIsDelegatedAdminAccount=TRUE))
    Example 3. All active accounts
    ldap:///??sub?(&(objectClass=zimbraAccount)(ZimbraAccountStatus=active))
    Example 4. All users with the title manager

    The title is taken from the account’s Contact Information Job Title field. In this example, this field would be set to "Manager".

    ldap:///??sub?(&(objectClass=zimbraAccount)(title=Manager))

    New Subscription Requests

    Select Automatically reject.

    Unsubscription Requests

    Select Automatically reject.

  4. If the dynamic distribution list should have an alias, create it.

  5. If this dynamic distribution list can be managed by other users, enter these email addresses in the Owners page.

  6. If you want to set up a reply to address, enter it here. Any replies to this distribution list are sent to this address.

  7. Click Finish. The dynamic distribution list is created.

Users are added automatically to the list based on the filter you specified. If you add or delete users, the list is updated.

Note
 If you use the CLI to modify a dynamic distribution list originally created on the Administration Console, you must set zimbraIsACLGroup FALSE for that dynamic distribution list.

Use the CLI zmprov command to manage dynamic distribution lists. In the command, ldap:///??sub? is the URL. You can add any combination of filters to this to create different types of dynamic distribution lists.

  1. Creating a dynamic distribution list of all new and existing accounts

    All users, GAL account names, and spam/ham account names are included. When user accounts are deleted, they are removed from the list.

    zmprov cddl <[email protected]> zimbraIsACLGroup FALSE \
  memberURL 'ldap:///??sub?(objectClass=zimbraAccount)'

  2. Creating a COS and Assign Users

    If you create COSs and assign users to the COS based on specific criteria, such as all managers, you can quickly modify a dynamic distribution list to be used for a specific COS.

    Example 5. A dynamic distribution list that includes all users that have active accounts in a specific COS
    zmprov cddl <[email protected]>  zimbraIsACLGroup FALSE \
  memberURL 'ldap:///??sub?(&(objectClass-zimbraAccount) (zimbraCOSId=513e02e-9abc-4acf-863a-6dccf38252e3) (zimbraAccountStatus=active))'
    Example 6. A dynamic distribution list that includes all users based on job titles

    To use this, the account’s Contact Information Job Title field must include the title. In this example it would be set to "Manager".

    zmprov cddl <[email protected]> zimbraIsACLGroup FALSE' \
  memberURL ldap:///??sub?(&(objectClass-zimbraAccount) (zimbraCOSId=513e02e-9abc-4acf-863a-6dccf38252e3) (title=Manager))'
    Example 7. A dynamic distribution list for all delegated administrators
    zmprov cddl <[email protected]> zimbraIsACLGroup FALSE \
  memberURL 'ldap:///??sub?(&(objectClass-zimbraAccount) (zimbraCOSId=513e02e-9abc-4acf-863a-6dccf38252e3) (zimbraIsDelegatedADminAccount=TRUE))'

Moving a Mailbox

Mailboxes can be moved between Zimbra servers that share the same LDAP server.

You can move a mailbox from either the Administration Console or use the CLI command zmmboxmove to reposition a mailbox from one server to another, without taking down the servers.

The destination server manages the mailbox move process. The move runs in the background and the account remains in active mode until most of the data has been moved. The account is locked briefly to move the last data and then returned to active mode.

The mailbox move process goes through the following steps:

  • Mailbox blobs are moved to the new server

  • When most of the content has been moved, the account is put into maintenance mode

  • Database tables, index directories, and any changed blobs are moved

  • The account is put back into active mode

After the mailbox is moved to a new server, a copy still remains on the older server, but the status of the old mailbox is closed. Users cannot log on and mail is not delivered. Check to see that all the mailbox content was moved successfully before purging the old mailbox.

  • Moving a mailbox to a new server

    zmmboxmove -a <email@address> --from <servername> --to <servername>

  • Purging the mailbox from the old server

    zmpurgeoldmbox -a <email@address> -s <servernamee>

Global Configuration Options for Moving Mailboxes

Global configuration options for moving a mailbox can be set to exclude search indexes, blobs, and HSM blobs when mailboxes are moved. The following configuration options can be set on either the exporting server or the destination server:

  • zimbraMailboxMoveSkipSearchIndex — If you do not include the search index data, the mailbox will have to be reindexed after the move.

  • zimbraMailboxMoveSkipBlobs — Blobs associated with the mailbox, including primary and secondary volumes (HSM) are excluded.

  • zimbraMailboxMoveSkipHsmBlobs — This is useful when HSM blobs already exist for the mailbox being moved. Set this if zimbraMailboxMoveSkipBlobs is not configured, but you want to skip blobs on HSM volumes.