As I understand it the difference between trusted and internal is that PBL/DUL checks are done at the internal/external boundary so they don't FP on mail submission into the trusted network.
Firstly, doesn't that imply that relaying services like Spamgourmet could be treated as internal and not just trusted? Secondly, the PBL/DUL FP's don't appear to happen if the client authenticates into the internal network and it's recorded in received header. So presumably most independent mail services and many ISPs servers could be put into the internal network. Thirdly, why is Spamhaus XBL evaluated with "-lastexternal" like the PBL/DUL blocklists?
