In the FAQ distributed with qmail 1.03, question 5.5 describes the classic technique for cleaning up remotely injected mail. The smtprules.cdb file that tcpserver consults contains lines that set the RELAYCLIENT environment variable for hosts allowed to inject and relay mail. If RELAYCLIENT is set, qmail-smtpd both skips the usual relay validation and appends the contents of RELAYCLIENT to all envelope destination addresses. If RELAYCLIENT has the value @fixme, mail addressed to firstname.lastname@example.org is sent to email@example.com@fixme. If you define fixme as a virtual domain, all mail from these hosts is handled as virtual domain mail.
More concretely, start by creating a fixme virtual domain in virtualdomains:
Then create ~alias/.qmail-fixup-default:
| bouncesaying 'Permission denied' [ "@$HOST" != "@fixme" ] | qmail-inject -f "$SENDER" -- "$DEFAULT"
The first line checks that the mail is really sent to the fixme virtual domain, so that sneaky bad guys can't relay mail by sending it to alias-fixup-victim@firstname.lastname@example.org (assuming example.com is your local domain.) The second line feeds the mail through qmail-inject, preserving the original sender and remailing it to $DEFAULT, which was the original destination address before @fixme was added. Finally, add the @fixme strings to the local network entries in smtprules.txt and rebuild smtprules.cdb:
127.:allow,RELAYCLIENT="@fixme" 172.16.42.:allow,RELAYCLIENT="@fixme" ...