>Having proved beyond all shadow of a doubt that sending mail to 
>root@localhost leaves a security leak a mile wide, what should be done?

no, it doesn't.  you fail to understand what's going on.

>The zone administrator (or DNS spoofer) can redirect all root mail, by 
>adding a zone entry "localhost.dom.ain." that points to some other 
>place than 127.0.0.1.  Is this considered a feature?

that doesn't matter.  that will only be looked for if "localhost" by
itself is not found.

>I proposed PR install/21999, to modify the /etc/hosts file to include 
>"localhost.dom.ain", right next to the "host.dom.ain host" line.
>
>So far, most commentators oppose this change.
>
>Alternatives?

sendmail knows to deliver to "localhost".  it looks up "localhost" and
finds 127.0.0.1.  when it attempts delivery there, it also looks up
1.0.0.127.in-addr.arpa so that it can put a canonicalized name in the
logs.  in your case, that maps to "localhost.citi.umich.edu".  you
need to fix that, but i don't believe it's a problem.

-- 
|-----< "CODE WARRIOR" >-----|
codewarrior@daemon.org             * "ah!  i see you have the internet
twofsonet@graffiti.com (Andrew Brown)                that goes *ping*!"
werdna@squooshy.com       * "information is power -- share the wealth."