Is there a reason you don't want to make root@host2 or @host2 a valid
recipient on host1?
Mainly because if I were to spin up host3, 4 and 5, I'd prefer not to
have to change the config on host1.
Than I would suggest to use authentication.
On hostX:
action "relay2host1" relay \
host smtps://foo@host1 \
auth { foo = password }
match from any for any action "relay2host1"
And on host1 mail from foo gets accepted no matter what:
listen on $v4adr port 12345 smtps \
hostname host1 pki host1 \
auth { foo = $2b$08$dB1z...$ smtpctl encrypt password }
action "send_by_hostX" ... virtual { "@" => user }
match auth foo from any for any action "send_by_hostX"
HTH
