Recently a phishing email got past our spam filter and we wanted to determine the extent to which users would be impacted.

Zimbra’s admin interface in the Community Edition doesn’t have the ability to search through all emails in a convenient way, so we started scouring the web for solutions.
the following command, change SEARCH STRING to the text you want to change.


$zmprov -l gaa |awk ‘{print “zmmailbox -z -m “$1″ search \”SEARCH STRING\” “}’ |sh -v

Zmprov retrieves a list of all user mailboxes on your system, pipes that into awk which then creates the command which uses zmmailbox to search for the specified text in each of the mailboxes returned from zmprov, then pipes that into sh (shell) which executes the formatted command.


The only problem with this command is that it prints the command, along with a line that indicates the number of results returned – for every user. So if the user didn’t have any results, you still get a line printed. If they had results, a line indicating which email contained them is printed. This could be improved by returning only pertinent results. If you are executing this on command line make sure your buffer is large enough to store all results for the amount of users you have.


With approximately 1100 active accounts and 120GB of mailbox data, this command took about 3 hours to execute under normal daily load. The command itself did not appear to increase system load appreciably during execution.