Hello,
> The order of things in the RCPT ACL is important - tests happen in the
> order they appear in the config, and as soon as a successful 'accept',
> 'deny' (etc) is reached, processing stops.
>
> You've probably got something equivalent to 'accept authenticated = *'
> ahead of the 'require verify = sender', so the 'require' is never reached
> if the 'accept' succeeds.
in fact, "require verify = sender" is stated earlier than "accept
authenticated = *". And I'm not testing on localhost. It seems, that
"require verify = sender" doesn't deny. Or does it check the
sender-domain only?
Are the ACLs finished after the first successful "deny"? Or are they
proceeded anyway, because there might be an accept later?