We just ran into this as well when a user with "zimbraPasswordMustChange: TRUE" logged into a virtual host using only their short-login (lacking @domain.com). The user was unable to proceed until they input their full-login (user@domain.com) in the username field.
This seems to be a bug, can anyone else confirm?
Steps to reproduce:
1. Create a domain, "domain.com"
2. Give it a virtual host, "mail.domain.com"
3. Set its public service host name, "mail.domain.com"
4. Create a user, "testuser@domain.com" with "Must change password" checked/enabled.
5. Use the web interface at "mail.domain.com"
6. Login using the short-login "testuser"
7. User is prompted for a new password.
8. Fill in the new password fields appropriately
9. Click "Log In"
10. An error appears about invalid "username or password"
P.S. These seem related:
Can't login when i change the password Bug 24729 – Rolling Upgrade: Admin console - Default domain is not working on cross server