RBL and trusted users from blacklisted IP addresses

[ewr at erols.com]

This is probably as much of a sendmail question as a mailscanner question,
but I figured I'd start here.

My mail server is set up to use pop-before-smtp for authentication.  When a
user pops their email from the server, the IP address that they are checking
their mail from gets added to sendmail's access.db for 10 minutes.  It is
inserted into the file as "<ip> RELAY".

I am using mailscanner/spamassassin to scan all incoming mails.
"Spam List = OORDB-RBL SBL+XBL" is set in mailscanner.conf

My users are spread out around the country and connect to the internet from
constantly changing locations.  Most of the time everything works great.

The problem I am occassionally running into is that my users will
occassionally try to send email from a black-listed IP address.  This is
happening more and more as my users begin to use their laptops at hotels,
use Verizon wireless cards, etc.  If one of my users trys to send an email
to another user on my system from an RBL'd IP address, the email will be
marked as spam.

I don't have a complete understanding of the order of how sendmail processes
the headers, passes the email to mailscanner, etc...  But I suspect that
there must be some way to prevent these mails from being marked as spam.  

I have a considered a few approaches, but haven't figured out how to
actually accomplish any of them yet:
#1) Is there a way to rewrite the IP address in the "Recieved" header in the
email after it is accepted for RELAY?  I know I trust the email after it
makes it past the "access.db", so I could just put one of my own IP
addresses in there.

#2) Is there a way to check the IP against a dynamic white-list and mark it
as non-spam no matter what?  I can probably update our pop-before-smtp to
update another whitelist.

Any suggestions would be greatly appreciated.  We do have a VPN and if a
user uses the VPN there is no problem, but for various reasons VPN access
isn't always available.

Thanks!

Eric