Subject: Re: daily (& security) mail not delivered
To: NetBSD current list <>
From: Alan Barrett <>
List: tech-security
Date: 06/28/2003 16:00:41
On Sat, 28 Jun 2003, Alan Barrett wrote:
> I think you mean "sendmail's logs and queue files imply that delivery is
> attempted to".  I think you'll find that that
> name is not really used for delivery.
> At least, when I tried adding an /etc/hosts entry for
> localhost.${domain} with an IP address other than, and sent
> mail to "root@localhost", sendmail did not connect to the other IP
> address, and eth mail was delivered to root's mailbox on teh local
> machine.

I tried a similar experiment with a DNS entry (instead of an /etc/hosts
entry) for localhost.${domain} having an IP address other than, and sendmail *did* try to deliver to the other IP address.

I think that this is a security problem in sendmail.  Mail
to root@localhost should go to the real localhost, not to
localhost.${domain}.  I suggest that people discuss it on tech-security
under the subject "localhost security hole".

--apb (Alan Barrett)