>} We should perhaps deny relaying and perhaps also accepting mail from
>} hosts that have no valid mx or such.
>
>     Absolutely NOT, this is completely bogus.  MX records indicate
>machines that are intended to receive mail, NOT one's that are
>intended to send mail.

a generic bsd4.4 config file from sendmail 8.9.3 will not openly relay
mail from anyone.  indeed, it will only accept mail that originates or
terminates locally (modulo any local forwarding rules of course).

it will also not accept mail from an invalid sender address, ie, the
domain portion after the @ must either have an mx record or an a
record associated with it.

refusing to accept mail from hosts that cannot receive mail (because
they have no mx or a records) is problematic at best.

i recommend a configuration where the mc file contains

   FEATURE(relay_based_on_MX)

since that will allow the least amount of reconfiguration for most
people.  without that, all the domains for which your host is a
secondary (or other) mx host for a zone will have to have all those
zones listed in its /etc/mail/relay-domains file.  which is a pain.

it's not so hard to ask people to secondary mx for you.  trying to get
them to block open relaying and also reconfig to fit your dns changes
is a pain.

the only vulnerability there is if someone manages to poison your dns
server with an mx record for the email they want to relay through you.
which is more painful and bothersome than most spammers will try.

-- 
|-----< "CODE WARRIOR" >-----|
codewarrior@daemon.org             * "ah!  i see you have the internet
twofsonet@graffiti.com (Andrew Brown)                that goes *ping*!"
andrew@crossbar.com       * "information is power -- share the wealth."