Blocking access via access.db, but allowing authenticated users.

We, like many, have our web and email services hosted externally.
Our server is running sendmail, and our users use a webmail client or
IMAP client to get and send their mail. Users do not have static IPs
and many travel. (i.e. its impossible to know what IPs to "ALLOW" for
our user community)

This is fine, as our server seems to have a system that will allow
authenticated users to relay once their IP has been entered into a
table after their first login. (not sure what is running this
service, but its not touching the access file)

We are trying Postini's spam services. To do this right, we must
only allow postini to send to our servers and block all other
systems. This is because many don't pay attention to the mx records.

It seems i can do this by adding postini's IPs as ALLOW, then adding 1
DENY, 2 DENY, 3.... 255 DENY (whew, thats a pain - why no wildcard?)
in the access file.

However, the access file overrides the authenticated users, so now
I've blocked all our users from sending mail.

I feel like we can't be the first to need this type of service, but in
asking postini they are confused. They seem to only know how to
handle Exchange email systems or companies with corporate firewalls
and all their users being internal.

Suggestions? I'm on a Freebsd system.