What steps will reproduce the problem?
1. Put a (domain) JID on the privacy list as blocked
2. Log off
3. Receive message from blocked JID
The message should be blocked, but it's delivered.
The debug log says:
Dec 15 09:12:56 s2sin10f4df0 debug Received[s2sin]: <message type='chat' firstname.lastname@example.org' email@example.com/tjUdm6i'>
Dec 15 09:12:56 el-tramo.be:privacy debug preCheckIncoming: Couldn't get session for jid: firstname.lastname@example.org/nil
Running Prosody 0.9.11 on Debian.
So the problem is that in preCheckIncoming (https://hg.prosody.im/0.9/file/8613086779fa/plugins/mod_privacy.lua#l389) if the stanza is directed to the bare JID, it'll look for the highest priority session and use the privacy list of that. Since there's no such session when the user is offline, it'll proceed with doing absolutely nothing, which lets the stanza through.
It's highly unlikely that we'll be fixing mod_privacy. Recommend using mod_blocklist once 0.10 is done.