I really like the tcpwrapper. Without messing with ipfilter, one can easily set up quite a few access rules. While running seccheck, I noticed that TCP wrappers were not enabled on my system. A quick edit of hosts.allow and hosts.deny did the trick - except for sendmail:

[ID 801593 mail.info] n28820cE016260: from=root, size=247, class=0, nrcpts=1, 
                      msgid=<200903080802.n28820cE016260@node1>, relay=root@localhost
[ID 801593 mail.notice] n28820u0016261: tcpwrappers (localhost, 127.0.0.1) rejection

So, why would sendmail reject mail from localhost? Well, sendmail is linked against the TCP wrapper too:

$ ldd /usr/lib/sendmail | grep wrap
        libwrap.so.1 =>  /usr/sfw/lib/libwrap.so.1
$ grep -v ^\# /etc/hosts.allow 
ALL: 127.0.0.1/255.0.0.0
ALL: 10.200.0.0/255.255.255.0

Apparently sendmail (or, to be correct: tcpd) does not like the subnet after 127.0.0.1, despite the manpage where it expects an "expression of the form `n.n.n.n/m.m.m.m' ". Well, removing the subnet helped, now sendmail delivers to localhost again.