On Fri, 2007-10-05 at 08:15 +0200, Magnus Holmgren wrote: > Errm. ยง 40.8 says (about the QUIT ACL) that "You do not need to have a final > accept", and logically the same should apply to the not-QUIT ACL. It's only > explicit denys that are forbidden (at least by the implementation). And by > the way, that wasn't even the issue here.
Hrm... I just read, and closed, #608 with the comments that an explicit deny in the QUIT or not-QUIT ACLs is invalid per the spec. Surely calling a child (nested) ACL which returns a deny is the same as explicitly stating deny? Or... thinking about it... in this case, with the child ACL returning an explicit deny, the statement resolves (in human terms at least!) as: accept acl = false so any further processing of that ACL section will halt, and it'll drop to the next part - as none is defined, that hits the implicit deny which in the case of the QUIT and not-QUIT ACLs is irrelevant anyway, as the connection has gone away already and no further access control is possible. The interesting part here is that by calling the child ACL from the QUIT or not-QUIT ACL, should the same rules apply? IMO they should do - so deny is an invalid verb in the child ACL aswell as the parent ACL for QUIT and not-QUIT - but this may be argued against by others! Maybe #608 needs re-opening. Discuss :) Graeme -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
