1 files changed, 29 insertions, 15 deletions

diff --git a/env/users/mailbox.nix b/env/users/mailbox.nix
index 46bbd6a..06e67ef 100644
--- a/env/users/mailbox.nix
+++ b/env/users/mailbox.nix
@@ -34,16 +34,16 @@ in
               # Otra solución posible (https://serverfault.com/a/1062274/980378):
               #  auth_username_format = %{if;%d;eq;${domain};%Ln;%Lu}
               localEntry = canonical: username: ''
-                ${username}:::::::user=${canonical} userdb_user=${canonical}
+                ${username}:::::::user=${canonical} nopassword userdb_user=${canonical}
               '';
 
               localEntries = concatStrings
                 (flatten (mapAttrsToList
                   (canonical: user:
-                    map (localEntry canonical) user.hardAliases)
+                    map (localEntry canonical) ([ canonical ] ++ user.hardAliases))
                   cfg.users));
 
-              localAliases = pkgs.writeText "local-mailboxes" localEntries;
+              localMailboxes = pkgs.writeText "local-mailboxes" localEntries;
 
               vmailPath = "/var/lib/vmail/%{if;%d;ne;;%Ld;${domain}}";
             in
@@ -51,43 +51,57 @@ in
               # Esto enfuerza user@domain.tld
               auth_username_format = %{if;%Ld;eq;${domain};%Ln;%{if;%d;ne;;%Lu;%Ln@invalid}}
 
+              # FIXME: Esta cadena de passdbs hace que 'doveadm user lookup'
+              # falle para usuarios locales, pero todo lo demás sirve. Parece
+              # ser debido a que pam no puede enumerar.
+
               passdb {
                 driver = passwd-file
-                args = ${localAliases}
-
-                result_internalfail = return-fail
+                args = username_format=%Ln ${vmailPath}/passwd
               }
 
               passdb {
                 driver = passwd-file
-                args = username_format=%Ln ${vmailPath}/passwd
+                args = ${localMailboxes}
+
+                # Esta es una forma de determinar si se encontró el usuario en
+                # el passwd-file por medio de nopassword sin realmente
+                # autenticarlo. Cuidado con result_success, porque si eso se
+                # configura mal se permite inicio de sesión con cualquier
+                # contraseña (!!!).
+                result_success = continue
+                result_failure = return-fail
+                result_internalfail = return-fail
+
+                username_filter = !*@*
               }
 
               passdb {
                 driver = pam
                 args = dovecot2
-                username_filter = !*@*.*
+                username_filter = !*@*
                 #TODO: algo como 'override_fields = allow_nets=...'
               }
 
               userdb {
                 driver = passwd-file
-                args = ${localAliases}
-
-                result_success = continue
-                result_internalfail = return-fail
+                args = username_format=%Ln ${vmailPath}/passwd
+                override_fields = uid=vmail gid=vmail home=${vmailPath}/home/%Ln
               }
 
               userdb {
                 driver = passwd-file
-                args = username_format=%Ln ${vmailPath}/passwd
-                override_fields = uid=vmail gid=vmail home=${vmailPath}/home/%Ln
+                args = ${localMailboxes}
+
+                result_success = continue-ok
+                result_internalfail = return-fail
+                skip = found
               }
 
               userdb {
                 driver = passwd
                 args = blocking=no
-                skip = found
+                skip = notfound
               }
             '';
         };