I use constraint checking in routers to check
user spam thresholds against message heuristics
for those cases when the ACLs cannot directly
reject a message--specifically, the cases
wherein the set of RCPT commands results in
varying user thresholds or wherein the recipient
in the RCPT command would pass the message
but a resulting aliased address would not.
The problem is, if one of those routers fails
an address, it is the final address that gets
reported in the bounce message--followed
by a "generated from..." line that indicates
the original address.
This is generally undesirable since it exposes
the alias configuration to the sender.
Is there a way to limit the rejected address
listing to only those rejected addresses that
are specifically contained in the original
envelope?