I wanted to start using http://virbl.bit.nl/ but it is only meaningfull if the host connecting directly to you (or your trusted_networks if I understand that correctly).
That is, if an infected machine is properly relaying thru its ISP's mail server, I don't want to mark it.
Can check_rbl() work only on the 'last hop'?
Well the "notfirsthop" specifier used in rbl_check rules, despite it's name, is in actuality implemented as "only those IPs that connected to hosts in trusted_networks" in the 2.6x series.
Thus, notfirsthop should do what you want, provided your trusted_networks is working.
(The name notfirsthop is a bit of a legacy to the days when it really was "all hops excluding the first", but trusted_networks changed that)
