One of the reasons I wrote the script I did to build the virtusertable on the perimeter system, was so that I could use all of the internal Sendmail tools for dnsbls and address checking, and use the SpamAssassin Milter. That way, all of the filtering is managed by Sendmail, which means that it keeps the load from scanning invalid emails to a minimum.
So my message flow is like this:
Message from Internet bound for user@domain.com goes to Sendmail on perimeter system. Sendmail checks for valid user (against the virtusertable that my script generates on the Scalix server, copies up to the perimeter system, and activates), DNSBLs, and DNS hoaxiness. If it catches any of that going on then it rejects the message and moves on, without ever receiving the body of the email (saving CPU cycles and *LOADS* of bandwidth in the process). If the message passes all the nasty Sendmail tests, then Sendmail receives the message and passes it into the ClamAV and SpamAss Milters.
If ClamAV milter sees a virus, the message disappears forever (configurable of cource but that's my preference). Frankly, I almost never get those because viral messages always trip up on DNS or being sent from a DNSBL IP address.
If SpamAss Milter tags the message, then Sendmail forwards the message to an address local to the digester (an entry in /etc/aliases like "|/usr/bin/spamdigester") which initiates the quarantine process and stores the message in the MySQL database for future review/ delivery/ deletion as part of a Digest email.
If the message is clean, then it gets sent on to the ultimate destination address as defined in virtusertable (i.e. user@scalix.domain.com).
The idea is to minimize user interaction with Junkmail, while ensuring that they get to review the messages that get tagged and keep the control over mailflow. No special knowledge necessary, no folders to manage for misclassified messages etc..
So, in short, my users never see this script happening, or interact with it in any way - it's all automated, behind the scenes stuff, expressly to keep them from having to deal with the incredible amount of junk out there.
Ultimately, if it's possible, I'd love to have Sendmail be able to query the Scalix server directly, as a message is being received, in real time, and do away with the virtusertable. However, using a polled virtusertable has some advantages that would be difficult to do with realtime queries, such as having 'unpublished' PDLs that only local Scalix users can send to (although I suppose that's what ACLs are for
.
The big motivator to write this whole mess was the way that Scalix works: It *receives* all messages and *then* scans them for spamminess or viral content. All the DNSBL and DNS stuff has to be hooked into my sendmail later on, after the message is received, which is *intensely* wasteful of bandwidth and CPU cycles, and *seriously* mucks up the works when Sendmail tries to reject a message. By moving to a perimeter solution, I accomplished several goals: Reject invalid messages before the message body is received, use wicked DNSBL filtering, and skip spam scanning all the messages that never leave the Scalix system (i.e. messages sent from one Scalix user to another).
On one particular site, I eliminated over 75% of all the mail that was coming to the server simply by implementing the Sendmail DNSBLs at the perimeter. That's 75% less CPU cycles wasted on junk mail, and 75% less false negatives (at least). That site after a year of using all this and using Bayes autolearn in SpamAssassin, now rarely has false negatives (less than 1/day/user), and simply doesn't get false positives.
*Whew* sorry for the long winded post
And thanks for the PM... I hope I didn't completely miss the point of what your script does!