colemanjp/gist:3788947

## gistfile1.txt
   LOCAL_RULESETS
   SLocal_check_rcpt
   # `nosmtpusers for Proofpoint'
   # `Per-user blocking for compromised SMTP auth sessions'
   R$*             $: $&{auth_authen}
   R$*             $: $(access yaleblocklist:$1 $)
   RBLOCKED        $#error $: "553 Sender blocked"


Intuitively, this should go in Local_check_mail, but per
http://www.sendmail.com/sm/open_source/docs/m4/anti_spam.html#delay_check
check_mail and check_relay are skipped if FEATURE(`delay_checks') is on and the sender has authenticated.

"
By using FEATURE(`delay_checks') the rulesets check_mail and check_relay will not be called when a
client connects or issues a MAIL command, respectively. Instead, those rulesets will be called by
the check_rcpt ruleset; they will be skipped if a sender has been authenticated using a "trusted" mechanism...
"

Since we don't control what proofpoint turns on and off, putting this in check_rcpt seems like the safest thing to do.
	LOCAL_RULESETS
	SLocal_check_rcpt
	# `nosmtpusers for Proofpoint'
	# `Per-user blocking for compromised SMTP auth sessions'
	R$* $: $&{auth_authen}
	R$* $: $(access yaleblocklist:$1 $)
	RBLOCKED $#error $: "553 Sender blocked"


	Intuitively, this should go in Local_check_mail, but per
	http://www.sendmail.com/sm/open_source/docs/m4/anti_spam.html#delay_check
	check_mail and check_relay are skipped if FEATURE(`delay_checks') is on and the sender has authenticated.

	"
	By using FEATURE(`delay_checks') the rulesets check_mail and check_relay will not be called when a
	client connects or issues a MAIL command, respectively. Instead, those rulesets will be called by
	the check_rcpt ruleset; they will be skipped if a sender has been authenticated using a "trusted" mechanism...
	"

	Since we don't control what proofpoint turns on and off, putting this in check_rcpt seems like the safest thing to do.