No doubt there's a post in the archive that describes it all perfectly, but I was unable to find it. The question crops up often. I was having trouble with it myself just the other day.
The resolution AFAIK revolves around:
* setting trusted_networks correctly, and
Dan, this isn't Keith's problem.. that will fix "notfirsthop" lists, but that part of his config is working correctly, otherwise RCVD_IN_DYNABLOCK would have also matched.
The problem he's having is not a misconfiguration. His friends IP is blacklisted as an open-proxy spam relay. SA noticed, as it should.
SA is very much intentionally designed to NOT skip open-relay list checks on the first hop.
Why? Because some spam is relayed from exploited hosts into legitimate ISP relays. The only way to detect these is to detect if the originating IP is in any relay/exploit lists. The IP in question is part of a DSL network, which makes it a prime target for spammer abuse and all the more important to check the relay databases. (Lots of foolish DSL users accidentally create open relay mailservers and/or proxies on their home systems as they try to evade their work's firewalls and/or content filters)
This is not the same thing as checking the first hop against dialup lists, which is inherently bad.
