Phil Pennock wrote:
> On 2009-11-16 at 10:01 +0800, W B Hacker wrote:
>>>>> acl_check_dkim:
>>>>> warn log_message = GMail sender without DKIM signature
>>>>> sender_domains = gmail.com
>>>>> dkim_signers = gmail.com
>>>>> dkim_status = none
>>>>> deny message = Message from Paypal with invalid or missing signature
>>>>> sender_domains = paypal.com:paypal.de
>>>>> dkim_signers = paypal.com:paypal.de
>>>>> dkim_status = none:invalid:fail
>>>>> accept
>
>> It had no chance to .....
>>
>> An 'accept' may be over-ruled by a later 'deny'.
>
> *cough*
>
> The first "accept" or "deny" is the end of the ACL. The "accept" is
> never seen because the "deny" was matched.
>
> An "accept" can not be overruled by a later "deny".
>
> -Phil
>
Quote:
"An "accept" can not be overruled by a later "deny".
I | we should have specified:
...within the same SMTP PHASE...
An 'accept' most certainly can be over-ruled by a deny-class verb in any
*subsequent* phase. Not to mention a non-acl router/transport ruleset.
EG: accept in acl-smtp_connect, deny in acl_smtp_data (or anything in between).
WHEREAS - the first 'deny' (class) verb hit is end of story for [at least] that
recipient/message combination - if not the entire session.
Bill