On Sat, 28 Jun 2003, Alan Barrett wrote:
> I think you mean "sendmail's logs and queue files imply that delivery is
> attempted to localhost.citi.unich.edu".  I think you'll find that that
> name is not really used for delivery.
> 
> At least, when I tried adding an /etc/hosts entry for
> localhost.${domain} with an IP address other than 127.0.0.1, and sent
> mail to "root@localhost", sendmail did not connect to the other IP
> address, and eth mail was delivered to root's mailbox on teh local
> machine.

I tried a similar experiment with a DNS entry (instead of an /etc/hosts
entry) for localhost.${domain} having an IP address other than
127.0.0.1, and sendmail *did* try to deliver to the other IP address.

I think that this is a security problem in sendmail.  Mail
to root@localhost should go to the real localhost, not to
localhost.${domain}.  I suggest that people discuss it on tech-security
under the subject "localhost security hole".

--apb (Alan Barrett)