Sendmail administrators using FEATURE(dnsbl) may have noticed that ruleset check_rcpt is executed after all connected milters have executed the corresponding xxfi_*() routines.
Wouldn’t it be better if a milter (in fact the first in order) could block a connection based on a list of DNSBLs?
That is why I wrote my first milter, milter-dnsbl (download). milter-dnsbl has no configuration file; on startup it takes a number of arguments that allow you to specify a number of DNSBLs, plus whitelists published via DNS, or based on the domain name of the connecting host. It requires a running lwresd(8) which it uses as a caching server. Read the manpage that comes with the source code distribution.
milter-dnsbl is distributed with an OpenBSD-style license and has been tested on an Ubuntu 6.06 i386 server.
Managing organized complexity 
a) If sender is smtp-authenticated, how can you bypass this milter (or any milter) so that the email will be sent even though this (or another) milter would return discard/reject?
b) How can you bypass the dnsbl checks for specific users (who want to receive all emails, even those from listed ip addresses) ?
Just food for thought :)
@stsimb:
a) milter-dnsbl does not yet deal with SMTP-AUTH issues. It will deal with it when I implement it on our systems.
:)
b) milter-dnsbl as is designed right now, suits best the needs of an organization with a central, not a per user, policy.
Alternative milter
http://dnsbl-milter.sourceforge.net
spamass-milter can and does get bypassed when using smtp-auth