W B Hacker, 2011-10-27 07:51:
> Ah - forgot to mention one of the BASIC conventions:
>
> Any 'deny class' verb is permanent. Session having been terminated,
> no later 'accept' could possibly act.
>
> An 'accept' OTOH is *temporary* ..
> ...unless it is the LAST one to act in acl_smtp_data.
> 'endpass' after an 'accept' can skip all remaining clauses in a
> given phase.
This is not true.
http://www.exim.org/exim-html-current/doc/html/spec_html/ch40.html#SECID200
says:
> accept: If all the conditions are met, the ACL returns “accept”.
i.e., a successful (i.e., all conditions were met) "accept" skips the
remaining ACL entries.
And just after that about "endpass":
> If any of the conditions are not met, what happens depends on whether
> endpass appears among the conditions (for syntax see below). If the
> failing condition is before endpass, control is passed to the next
> ACL statement; if it is after endpass, the ACL returns “deny”.
So, "accept" really means "accept", for the current ACL. endpass may be
handy for some situations, but it's just too mind-boggling (an accept
turned into a deny, wtf?), so, as the spec says:
> current “best practice” is to avoid the use of endpass.