On thinking about it you probably can't do it with whitelist_from_rcvd. My
understanding (possibly incorrect in this specific case, but it looks right)
is that SA just overrides any line with a later matching line. So in this
case you are probably just ending up with the last line.
The ideal case here would be if you could say
whitelist_from_rcvd [EMAIL PROTECTED] (first_isp.com|second_isp.com)
But I doubt seriously that an RE will work here. If it doesn't work it
would seem to be worth an enhancement request to the SA devs.
I think you are going to have to use a rule or three here. Perhaps
something along the (untested) lines of
header __MY_FROM From =~ /[EMAIL PROTECTED]/
header __MY_ISPS Received =~ /\w\@(?:isp1|isp2|isp3)\.com[ >]/
meta MY_USER_WHITELIST (__MY_FROM && __MY_ISPS)
score MY_USER_WHITELIST -50
Or something like that.
I seem to recall some recent mention of an 'addrs' or 'address' modifier
that can be used on Received (and maybe From?) that might tighten up that
scan to make sure that it onlly hit on the right address in the received
chain, to prevent spoofing. Not sure how to use it, but a little searching
in the docs or archive may make it obvious.
Loren
