You should accept the answer of David Smith because it's totally correct. However I'd like to point out some additions.
First: You wrote that "These hosts all use the same identifying rDNS entry". That is really bad practice as your reverse lookups are not consistent in that case: The reverse lookup of an IP address will not necessarily resolve back to the IP in question, rendering the reverse lookup nearly useless, both in its sense and in practice.
Second: I really wonder about the described scenario where IP addresses of users being allowed to relay change often, but every new IP is getting a reverse lookup matching your relay rule. If there is "some" technique automatically setting PTR records for the IPs in question, the same technique should be usable to automatically add them to the list of allowed relayers.
In any case, you should better use IP based relaying instead of relying on the hostname. The reason for that is that anybody who controls PTR records for some IP address space can easily invent hostnames matching your relay rule with a faked record. This means that anybody pretending to be allowed to relay will be allowed to relay.
If you're running qmail under tcpserver you can work around this by setting the -P
option (paranoid mode). It automatically ignores the reverse lookup of an IP address if the hostname resulting from the lookup does not resolve back to the connecting IP. Beware that this option ("paranoid mode") is off by default - and it will not work with your "all IP addresses have the same reverse lookup". As I said, it's bad practice anyway, and breaking tcpserver
's paranoid mode is a good example.