tcpd &

I really like the tcpwrapper. Without messing with ipfilter, one can easily set up quite a few access rules. While running seccheck, I noticed that TCP wrappers were not enabled on my system. A quick edit of hosts.allow and hosts.deny did the trick - except for sendmail:

[ID 801593] n28820cE016260: from=root, size=247, class=0, nrcpts=1, 
                      msgid=<200903080802.n28820cE016260@node1>, relay=root@localhost
[ID 801593 mail.notice] n28820u0016261: tcpwrappers (localhost, rejection
So, why would sendmail reject mail from localhost? Well, sendmail is linked against the TCP wrapper too:
$ ldd /usr/lib/sendmail | grep wrap =>  /usr/sfw/lib/
$ grep -v ^\# /etc/hosts.allow 
Apparently sendmail (or, to be correct: tcpd) does not like the subnet after, despite the manpage where it expects an "expression of the form `n.n.n.n/m.m.m.m' ". Well, removing the subnet helped, now sendmail delivers to localhost again.