Date:        Sat, 28 Jun 2003 16:00:41 +0200
    From:        Alan Barrett <apb@cequrux.com>
    Message-ID:  <20030628140041.GS3711@apb.cequrux.com>

  | I tried a similar experiment with a DNS entry (instead of an /etc/hosts
  | entry) for localhost.${domain} having an IP address other than
  | 127.0.0.1, and sendmail *did* try to deliver to the other IP address.

This is because sendmail mostly uses resolver calls, not gethostbyname()
(or getaddrinfo()) and so misses nsswitch - it is primarily looking for
MX records after all, and last I heard anyway, there was no way to stick
an MX record in /etc/hosts.

This means that sticking localhost.domain in /etc/hosts would be completely
useless as a method to get mail delivered to 127.0.0.1 (attempting to
override the DNS).

The "security implications" of this are pretty minor, if you can't trust
the people who are running the DNS for your domain, there are lots of
other things that can be done to you, not just snarfing the daily cron
mail!   Doing that kind of trick (mangling the A record) is also likely
to break lots of other things, and be noticed fairly quickly.   On the
other hand, installing an MX record for localhost.domain has much the
same effect, but affects only mail.   Further, that's actually useful
to collect mail sent to localhost on lots of unmanaged systets, and get
it delivered centrally.

Furthermore, if you really want to insist that this mail get delivered to
the local root, and not some other root, then you can always just alias
(or .forward, which is the same thing) root to root@`hostname` and then
it will get delivered locally (assuming a default sendmail config anyway,
and assuming that hostname is set to a FQDN, not "foo").

kre