SA 3.0 attempts to "guess" at trusted networks if you don't specify any. In situations using NAT, this doesn't work very well. There have been a few threads on this recently.
Add a "trusted_networks" entry or two to cover your mailservers and this problem will go away.
This is not a "new to 3.0" issue.
SA 2.6 actually does the exact same thing for trust paths, but only a few admins notice it because the impact is less noticeable.
In SA 2.6 it only causes two problems:
1) false positives on DYNABLOCK and other DUL RBLs (matching mail that was properly relayed)
2) whitelist_from_rcvd failures (failure to match domain parts)
Which are problems, but often go un-noticed. Many admins just assume SA is broken and dial down the score of DYNABLOCK, etc and just use whitelist_from instead of whitelist_from_rcvd.
in 3.0 it can cause ALL_TRUSTED to fire, along with several other problems. In 3.0 more rules are using the trust path, so the problems you've had all along are now more noticeable.
