I solved my problem, buy giving all users very long and random passwords.
Then using my own gateway to authenticate those users I trusted, and connecting them into Zimbra using the pre-auth ability of Zimbra.
This dose mean that anyone using the mobile sync has to use a very long and complex password, but they all hand their phones into me to set-up. Those with laptops also have to go through me, but then I have full control over them.
-Si-