in a security relevant project, we need to restrict access to Zimbra with one-time passwords (OPIE One Time Password is Everything).

I heard that this is possible, and should not be difficult to implement. You need to arrange for the OTP authentication to be done at the web application level, not at the HTTP level (basic/digest). Most rich web applications have a login flow where there's a login page prompting you for a username, it sets a session cookie, then prompts you for a password, and if the right password is entered it will let you in. You just need to make the password prompt page display an OTP challenge and take an OTP response, which isn't conceptually a big change. How hard it is to do in practice depends on how the web application is written.

As a matter of good practice you should also have a way to ensure that the OPIE locks (if used) are timed out just like you time out the sessions.

My question:
How hard would would it be to enable Zimbra in order to support Challenge/Response authentication method?

Thank's a lot for your feedback!