Ran into an interesting issue with my realm code that should have just given me a reject rather than a segfault. In my default site I have added to the end the realm: realm "~.*$" { } So that suffix matches every realm as I don't have control over the realm names and need to perform lookups in the database on the realm. But if I then try and run suffix with an empty realm and do if check to see if it's not a particular realm I get a segfault. suffix if ( Realm == "testing" ) { reject } or if ( &Realm == "testing" ) { reject } or if ( "%{Realm}" == "testing" ) { reject } I always get the segfault. (0) Received Access-Request Id 46 from 127.0.0.1:34518 to 127.0.0.1:1812 length 256 (0) User-Password = "1234" (0) User-Name = "user" (0) # Executing section authorize from file ./sites-enabled/default ... (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "user", looking up realm NULL (0) suffix: Found realm "~.*$" (0) suffix: Adding Stripped-User-Name = "user" (0) suffix: Adding Realm = "(null)" (0) suffix: Authentication realm is LOCAL (0) [suffix] = ok (0) if ( Realm == "testing" ) { Segmentation fault That's a bit nasty response really. Granted it's not exactly elegant that I am doing the lookup in the first place. But I didn't expect a segfault from that. I've worked around it by doing a check to make sure the realm isn't empty first. if ( !&Realm == "" ) { if ( Realm == "testing" ) { reject } } else { reject } And that drops into the else nicely (0) if ( !&Realm == "" ) { (0) if ( !&Realm == "" ) -> FALSE (0) else { (0) [reject] = reject (0) } # else = reject (0) } # authorize = reject Haven't gone looking into the code to see where the issue is yet, but I will have a look tomorrow.