An MQTT client can freeze during publishing when the client is not logged in with credentials necessary to write to the target destination.
Both MQTT 3.1 specification and the updated 3.1.1 specification stipulate that the broker should reply with a positive acknowledgement even if the client has no rights to publish on a topic.
v3.1 Updated specification for PUBLISH
MQTT 3.1 ( http://public.dhe.ibm.com/software/dw/webservices/ws-mqtt/mqtt-v3r1.html#publish )
Note that if a server implementation does not authorize a PUBLISH to be made by a client, it has no way of informing that client. It must therefore make a positive acknowledgement, according to the normal QoS rules, and the client will not be informed that it was not authorized to publish the message.
And v3.1.1 Updated specification for PUBLISH
MQTT 3.1.1 ( http://docs.oasis-open.org/mqtt/mqtt/v3.1.1/os/mqtt-v3.1.1-os.html#_Toc398718037 )
If a Server implementation does not authorize a PUBLISH to be performed by a Client; it has no way of informing that Client. It MUST either make a positive acknowledgement, according to the normal QoS rules, or close the Network Connection [MQTT-3.3.5-2].
In v3.1.1 we would be allowed to close the connection but given that there is no indication to the client as to why it lost its connection it would most likely just reconnect and continue on.
We can log a warning on each failed PUBLISH due to security constraints to make it easier to debug missing messages.