* configure.ac: Add TCP wrappers support.

* imap4d/Makefile.am, mu_daemon_argp_parser (LDADD): Add
TCPWRAP_LIBRARIES.
* imap4d/imap4d.c: Include tcpwrap.h
(imap4d_mainloop): Check the connection using tcp wrappers.
* imap4d/preauth.c: Fix a typo in the comment.
* maidag/maidag.h: Include tcpwrap.h
* maidag/maidag.c, maidag/lmtp.c: Add TCP wrappers support.
* pop3d/pop3d.c: Include tcpwrap.h
(pop3d_mainloop): Check the connection using tcp wrappers.
* lib/Makefile.am: Add tcpwrap.c and tcpwrap.h
* lib/tcpwrap.c: New file.
* lib/tcpwrap.h: New file.
* libargp/common.c (mu_daemon_argp_parser): Bugfix.

+2007-12-05  Sergey Poznyakoff  <gray@gnu.org.ua>
+
+	* configure.ac: Add TCP wrappers support.
+	* imap4d/Makefile.am, mu_daemon_argp_parser (LDADD): Add
+	TCPWRAP_LIBRARIES. 
+	* imap4d/imap4d.c: Include tcpwrap.h
+	(imap4d_mainloop): Check the connection using tcp wrappers.
+	* imap4d/preauth.c: Fix a typo in the comment.
+	* maidag/maidag.h: Include tcpwrap.h
+	* maidag/maidag.c, maidag/lmtp.c: Add TCP wrappers support.
+	* pop3d/pop3d.c: Include tcpwrap.h
+	(pop3d_mainloop): Check the connection using tcp wrappers.
+	* lib/Makefile.am: Add tcpwrap.c and tcpwrap.h
+	* lib/tcpwrap.c: New file.
+	* lib/tcpwrap.h: New file.
+	* libargp/common.c (mu_daemon_argp_parser): Bugfix.
+
 2007-12-04  Sergey Poznyakoff  <gray@gnu.org.ua>
 
 	II. Extend --config-help output.  Each configuration parameter

-GNU mailutils NEWS -- history of user-visible changes. 2007-12-03
+GNU mailutils NEWS -- history of user-visible changes. 2007-12-05
 Copyright (C) 2002, 2003, 2004, 2005, 2006, 2007 Free Software Foundation, Inc.
 See the end of file for copying conditions.
 
@@ -9,7 +9,86 @@ Version 1.2.90:
 
 * New configuration file format.
 
-* Diagnostic and debugging functions essentially rewritten.
+* Programs
+
+** Debugging and online help
+
+Each Mailutils utility understands two additional command line
+options:
+
+ --debug-level=LEVEL    Set Mailutils debugging level.
+ --debug-line-info      Show source info with debugging messages.
+
+(see also `** Global debugging and verbosity settings.', below)
+
+The programs using configuration file facility also understand the
+--config-help command line option.  This option prints on the standard
+output the detailed description of configuration file statements that
+affect the given program.
+
+** New utility `maidag'
+
+Maidag is a MAIl Delivery AGent. It is a general-purpose MDA able to
+run in both traditional and LMTP mode and to deliver mails to various
+mailbox formats. It is also able to process incoming messages using
+Sieve or Scheme scripts and, based on results of this processing,
+to take a decision on whether to actually deliver and where to
+deliver them.
+
+** New Sieve action `pipe'
+
+Syntax: pipe [:envelope] <command line: string> 
+
+This action executes the given <command line> and pipes the message to
+its standard input. If the :envelope tag is given, the envelope of the
+message is piped as well.
+
+** Client SMTP STARTTLS support
+
+** Support for new protocols: POPS (pops://) and IMAPS (imaps://),
+
+** LDAP support (authentication and authorization).
+
+** Support for TCP wrappers.
+
+The support for TCP wrappers is added to the daemon programs (imap4d,
+pop3d, maidag). The support is controlled at compile time by the
+--with-tcpwrappers command line options to configure. By default, it
+is enabled if libwrap presence is detected. A set of configuration
+file statements are provided for fine tuning TCP wrappers at run-time.
+
+** pop3d: Fixed APOP handling.
+
+** imap4d supports PREAUTH mode.
+
+Three mechanisms are provided for authentifying the connection in
+PREAUTH mode:
+
+ 1. stdio - PREAUTH mode is enabled automatically if imap4d is started
+    from command line in interactive mode (-i command line
+    option). The current login name is used as the user name.
+
+ 2. ident - The remote machine is asked about the requester identity
+    using the identification protocol (RFC 1413). Both plaintext and
+    DES encrypted replies are understood.
+
+ 3. prog - Imap4d invokes an external program to authenticate the
+    connection. Four arguments are supplied to the program:
+
+      1) Remote IP address in dotted-quad notation;
+      2) Remote port number;
+      3) Local IP address (currently "0.0.0.0");
+      4) Local port number.
+
+    If the connection is authenticated, the program should print the
+    user name, followed by a newline character, on its standard
+    output and exit with code 0.
+
+    Otherwise, it shoud exit with a non-zero exit code.
+    
+* Libraries
+
+** Diagnostic and debugging functions essentially rewritten.
 
 A set of debugging macros, MU_DEBUG0 through MU_DEBUG11, is provided.
 New functions mu_debug_printf and mu_debug_vprintf allow for flexible
@@ -43,7 +122,7 @@ approach is recommended to use instead of mu_error_set_print:
       mu_diag_get_debug (&debug);
       mu_debug_set_print (debug, new_printer, NULL);
 
-* Global debugging and verbosity settings.
+** Global debugging and verbosity settings.
 
 These settings provide default values for mu_debug_t objects created
 by various library objects. The following functions are provided for
@@ -53,27 +132,12 @@ dealing with global debugging level:
    int mu_global_debug_set_level (const char *object_name, unsigned level);
    int mu_global_debug_clear_level (const char *object_name);
 
-Each Mailutils utility understands two additional command line
-options:
-
- --debug-level=LEVEL    Set Mailutils debugging level.
- --debug-line-info      Show source info with debugging messages.
-      
-* New utility `maidag'
-
-Maidag is a MAIl Delivery AGent. It is a general-purpose MDA able to
-run in both traditional and LMTP mode and to deliver mails to various
-mailbox formats. It is also able to process incoming messages using
-Sieve or Scheme scripts and, based on results of this processing,
-to take a decision on whether to actually deliver and where to
-deliver them.
-
-* New function mu_mailbox_sync
+** New function mu_mailbox_sync
 
 It supercedes mu_mailbox_save_attributes, which is now considered
 deprecated.
 
-* Observable event handling
+** Observable event handling
 
 Each event type is associated with an event-specific data
 pointer. This pointer is passed to event handling functions along with
@@ -92,14 +156,6 @@ message is appended to the mailbox.
 A set of functions are provided for so-called `quick access' to mail
 messages. FIXME: describe it.
 
-* New Sieve action `pipe'
-
-Syntax: pipe [:envelope] <command line: string> 
-
-This action executes the given <command line> and pipes the message to
-its standard input. If the :envelope tag is given, the envelope of the
-message is piped as well.
-
 * New `aget' and `sget' accessors for mu_url_t
 
 The following new accessors are provided:
@@ -138,41 +194,6 @@ It is parsed as an absolute file name `/a/b'.
 Previous versions incorrectly understood such an URL as `a/b'
 (relative file name). 
 
-* Client SMTP STARTTLS support
-
-* Support for new protocols: POPS (pops://) and IMAPS (imaps://),
-
-* LDAP support (authentication and authorization).
-
-* Fixed APOP handling.
-
-* imap4d supports PREAUTH mode.
-
-Three mechanisms are provided for authentifying the connection in
-PREAUTH mode:
-
- 1. stdio - PREAUTH mode is enabled automatically if imap4d is started
-    from command line in interactive mode (-i command line
-    option). The current login name is used as the user name.
-
- 2. ident - The remote machine is asked about the requester identity
-    using the identification protocol (RFC 1413). Both plaintext and
-    DES encrypted replies are understood.
-
- 3. prog - Imap4d invokes an external program to authenticate the
-    connection. Four arguments are supplied to the program:
-
-      1) Remote IP address in dotted-quad notation;
-      2) Remote port number;
-      3) Local IP address (currently "0.0.0.0");
-      4) Local port number.
-
-    If the connection is authenticated, the program should print the
-    user name, followed by a newline character, on its standard
-    output and exit with code 0.
-
-    Otherwise, it shoud exit with a non-zero exit code.
-
 * Remove v0.6 compatibility layer.
 
 

@@ -75,6 +75,7 @@ status_gsasl=no
 status_mysql=no
 status_pgsql=no
 status_ldap=no
+status_tcpwrap=maybe
 
 dnl Internationalization macros.
 AM_GNU_GETTEXT([external], [need-ngettext])
@@ -148,6 +149,43 @@ case "${enableval}" in
   *)   AC_MSG_ERROR([bad value ${enableval} for --disable-pam]) ;;
 esac],[testpam=yes])
 
+AC_ARG_WITH(tcp-wrappers,
+	AC_HELP_STRING([--with-tcp-wrappers],
+	               [compile with TCP wrappers (libwrap) support]),
+	[status_tcpwrap=${withval}],
+	[status_tcpwrap=maybe])
+
+saved_LIBS=$LIBS
+TCPWRAP_LIBRARIES=
+case $status_tcpwrap in
+ yes) AC_CHECK_LIB(wrap, main,,
+                   [AC_MSG_ERROR([Required library libwrap not found])])
+      AC_CHECK_LIB(nsl, main,
+                   [TCPWRAP_LIBRARIES=-lnsl])
+      AC_CHECK_HEADERS(tcpd.h,,
+                       [AC_MSG_ERROR([Required header tcpd.h not found])])
+      status_tcpwrap=yes
+      ;;
+
+ maybe)
+      AC_CHECK_LIB(wrap, main,
+                   [status_tcpwrap=yes],
+                   [status_tcpwrap=no])
+      AC_CHECK_LIB(nsl, main, [TCPWRAP_LIBRARIES=-lnsl])
+      AC_CHECK_HEADERS(tcpd.h,
+                       [status_tcpwrap=yes],
+                       [status_tcpwrap=no])
+      ;;
+ no)  ;;
+esac
+LIBS=$saved_LIBS
+
+if test "$status_tcpwrap" = "yes"; then
+  AC_SUBST(TCPWRAP_LIBRARIES, "$TCPWRAP_LIBRARIES -lwrap")
+  AC_DEFINE_UNQUOTED(WITH_LIBWRAP, 1,
+                     [Define to 1 to use tcp wrappers.])
+fi
+
 AC_ARG_ENABLE([pthread],
               AC_HELP_STRING([--disable-pthread],
                              [disable pthread]),
@@ -1070,6 +1108,7 @@ Use GNU TLS.................... $status_gnutls
 Use GSASL...................... $status_gsasl
 Use GSSAPI..................... $status_gssapi
 Use Guile...................... $status_guile
+Use TCP wrappers............... $status_tcpwrap
 Pthread support................ $status_pthread
 Readline support............... $status_readline
 MySQL support.................. $status_mysql
@@ -1104,6 +1143,7 @@ status_gnutls=$WITH_GNUTLS
 status_gsasl=$status_gsasl
 status_gssapi=$WITH_GSSAPI
 status_guile=$useguile
+status_tcpwrap=$status_tcpwrap
 status_pthread=$usepthread
 status_readline=$usereadline
 status_mysql=$status_mysql

@@ -70,7 +70,7 @@ imap4d_LDADD = \
  ${MU_LIB_AUTH}\
  @MU_AUTHLIBS@ \
  ${MU_LIB_MAILUTILS}\
- @SERV_AUTHLIBS@ @MU_COMMON_LIBRARIES@
+ @SERV_AUTHLIBS@ @MU_COMMON_LIBRARIES@ @TCPWRAP_LIBRARIES@
 
 ## This kludge is necessary to correctly establish imap4d -> IMAP_AUTHOBJS
 ## and imap4d -> MU_AUTHLIBS dependencies. Automake stupidly refuses to 

@@ -22,11 +22,11 @@
 # include <mailutils/gsasl.h>
 #endif
 #include "mailutils/libargp.h"
+#include "tcpwrap.h"
 
 mu_mailbox_t mbox;
 char *homedir;
 int state = STATE_NONAUTH;
-int debug_mode = 0;
 struct mu_auth_data *auth_data;
 
 struct mu_gocs_daemon default_gocs_daemon = {
@@ -299,7 +299,8 @@ static struct mu_cfg_param imap4d_cfg_param[] = {
   { "ident-keyfile", mu_cfg_string, &ident_keyfile, NULL,
     N_("Name of DES keyfile for decoding ecrypted ident responses.") },
   { "ident-entrypt-only", mu_cfg_bool, &ident_encrypt_only, NULL,
-    N_("Use only ecrypted ident responses.") },
+    N_("Use only encrypted ident responses.") },
+  TCP_WRAPPERS_CONFIG
   { NULL }
 };
     
@@ -343,12 +344,7 @@ main (int argc, char **argv)
     mu_pam_service = "gnu-imap4d";
 #endif
 
-  if (mu_gocs_daemon.mode == MODE_INTERACTIVE)
-    {
-      if (preauth_mode != preauth_stdio)
-	debug_mode = 1;
-    }
-  else
+  if (mu_gocs_daemon.mode == MODE_DAEMON)
     {
       /* Normal operation: */
       /* First we want our group to be mail so we can access the spool.  */
@@ -457,10 +453,48 @@ imap4d_session_setup (char *username)
   return imap4d_session_setup0 ();
 }
 
+int
+get_client_address (int fd, struct sockaddr_in *pcs)
+{
+  int len = sizeof *pcs;
+
+  if (getpeername (fd, (struct sockaddr *) pcs, &len) < 0)
+    {
+      mu_diag_output (MU_DIAG_ERROR,
+		      _("Cannot obtain IP address of client: %s"),
+		      strerror (errno));
+      return 1;
+    }
+
+  mu_diag_output (MU_DIAG_INFO, _("Connect from %s"), 
+		  inet_ntoa (pcs->sin_addr));
+  return 0;
+}
+
 static int
 imap4d_mainloop (int fd, FILE *infile, FILE *outfile)
 {
   char *text;
+  struct sockaddr_in cs;
+  int debug_mode = isatty (fd);
+
+  mu_diag_output (MU_DIAG_INFO, _("Incoming connection opened"));
+  if (!debug_mode)
+    {
+      if (get_client_address (fd, &cs) == 0) 
+	{
+	  if (!mu_tcpwrapper_access (fd))
+	    {
+	      mu_error (_("Access from %s blocked."), inet_ntoa (cs.sin_addr));
+	      return 1;
+	    }
+	}
+      else if (mu_tcp_wrapper_enable)
+	{
+	  mu_error (_("Rejecting connection from unknown address"));
+	  return 1;
+	}
+    }
   
   /* Reset hup to exit. */
   signal (SIGHUP, imap4d_signal);
@@ -469,13 +503,16 @@ imap4d_mainloop (int fd, FILE *infile, FILE *outfile)
 
   util_setio (infile, outfile);
 
+  if (imap4d_preauth_setup (fd) == 0)
+    {
       if (debug_mode)
 	{
 	  mu_diag_output (MU_DIAG_INFO, _("Started in debugging mode"));
 	  text = "IMAP4rev1 Debugging mode";
 	}
-  else if (imap4d_preauth_setup (fd) == 0)
+      else
 	text = "IMAP4rev1";
+    }
   else
     {
       util_flush_output ();
@@ -593,10 +630,14 @@ imap4d_daemon (unsigned int maxchildren, unsigned int port)
       else if (pid == 0)	/* Child.  */
 	{
 	  int status;
+	  
 	  close (listenfd);
+
 	  status = imap4d_mainloop (connfd,
 				    fdopen (connfd, "r"),
 				    fdopen (connfd, "w"));
+	    
+	  close (connfd);
 	  closelog ();
 	  exit (status);
 	}

@@ -40,7 +40,7 @@ do_preauth_stdio (struct sockaddr_in *pcs)
    
       "%*[^:]: USERID :%*[^:]:%s"
 
-   returns a malloced copy of the %s part.  Otherwise, return NULL. */
+   returns a mallocked copy of the %s part.  Otherwise, return NULL. */
 
 static char *
 ident_extract_username (char *reply)
@@ -440,14 +440,10 @@ imap4d_preauth_setup (int fd)
   int len = sizeof cs;
   char *username = NULL;
 
-  mu_diag_output (MU_DIAG_INFO, _("Incoming connection opened"));
   if (getpeername (fd, (struct sockaddr *) &cs, &len) < 0)
     mu_diag_output (MU_DIAG_ERROR,
 		    _("Cannot obtain IP address of client: %s"),
 		    strerror (errno));
-  else
-    mu_diag_output (MU_DIAG_INFO, _("Connect from %s"), 
-		    inet_ntoa (cs.sin_addr));
 
   auth_data = NULL;
   switch (preauth_mode)

@@ -25,12 +25,14 @@ INCLUDES = @MU_COMMON_INCLUDES@
 libmuaux_la_SOURCES += \
  daemon.c\
  mailcap.c\
- mailcap.h\
- mu_dbm.c
+ mu_dbm.c\
+ tcpwrap.c
 
 noinst_HEADERS +=\
+ mailcap.h\
  mu_dbm.h\
- mu_asprintf.h
+ mu_asprintf.h\
+ tcpwrap.h
 
 EXTRA_DIST += utmp.c
 gl_LIBOBJS += @LIBOBJS@

+/* GNU Mailutils -- a suite of utilities for electronic mail
+   Copyright (C) 1999, 2001, 2002, 2003, 2004, 
+   2005, 2006, 2007 Free Software Foundation, Inc.
+
+   GNU Mailutils is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3, or (at your option)
+   any later version.
+
+   GNU Mailutils is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with GNU Mailutils; if not, write to the Free Software
+   Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+   MA 02110-1301 USA */
+
+#ifdef HAVE_CONFIG_H
+# include <config.h>
+#endif
+#include <syslog.h>
+#include <string.h>
+#include <mailutils/debug.h>
+#include <mailutils/nls.h>
+#include <mailutils/syslog.h>
+#include <mailutils/cfg.h>
+#include <mailutils/diag.h>
+
+int mu_tcp_wrapper_enable = 1;
+char *mu_tcp_wrapper_daemon;
+
+#ifdef WITH_LIBWRAP
+# include <tcpd.h>
+int deny_severity = LOG_INFO;
+int allow_severity = LOG_INFO;
+
+int
+mu_tcp_wrapper_cb_hosts_allow (mu_debug_t debug, void *data, char *arg)
+{
+  hosts_allow_table = strdup (arg);
+  return 0;
+}
+
+int
+mu_tcp_wrapper_cb_hosts_deny (mu_debug_t debug, void *data, char *arg)
+{
+  hosts_deny_table = strdup (arg);
+  return 0;
+}
+
+int
+mu_tcp_wrapper_cb_hosts_allow_syslog (mu_debug_t debug, void *data,
+				      char *arg)
+{
+  if (mu_string_to_syslog_facility (arg, &allow_severity))
+    mu_cfg_format_error (debug, MU_DEBUG_ERROR, 
+			 _("Unknown syslog facility `%s'"), 
+			 arg);
+  return 0;
+}
+
+int
+mu_tcp_wrapper_cb_hosts_deny_syslog (mu_debug_t debug, void *data, char *arg)
+{
+  if (mu_string_to_syslog_facility (arg, &deny_severity))
+    mu_cfg_format_error (debug, MU_DEBUG_ERROR, 
+			 _("Unknown syslog facility `%s'"), 
+			 arg);
+  return 0;
+}
+
+int
+mu_tcpwrapper_access (int fd)
+{
+  struct request_info req;
+
+  if (!mu_tcp_wrapper_enable)
+    return 1;
+  request_init (&req,
+		RQ_DAEMON,
+		mu_tcp_wrapper_daemon ?
+		     mu_tcp_wrapper_daemon : mu_program_name,
+		RQ_FILE, fd, NULL);
+  fromhost (&req);
+  return hosts_access (&req);
+}
+
+#else
+
+int
+mu_tcpwrapper_access (int fd)
+{
+  return 1;
+}
+
+#endif

+/* GNU Mailutils -- a suite of utilities for electronic mail
+   Copyright (C) 1999, 2001, 2002, 2003, 2004, 
+   2005, 2006, 2007 Free Software Foundation, Inc.
+
+   GNU Mailutils is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3, or (at your option)
+   any later version.
+
+   GNU Mailutils is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with GNU Mailutils; if not, write to the Free Software
+   Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+   MA 02110-1301 USA */
+
+#include <mailutils/types.h>
+
+extern int mu_tcp_wrapper_enable;
+const char *mu_tcp_wrapper_daemon;
+extern int mu_tcp_wrapper_cb_hosts_allow (mu_debug_t debug, void *data,
+					  char *arg);
+extern int mu_tcp_wrapper_cb_hosts_deny (mu_debug_t debug, void *data,
+					 char *arg);
+extern int mu_tcp_wrapper_cb_hosts_allow_syslog (mu_debug_t debug, void *data,
+						 char *arg);
+extern int mu_tcp_wrapper_cb_hosts_deny_syslog (mu_debug_t debug, void *data,
+						char *arg);
+extern int mu_tcpwrapper_access (int fd);
+
+#ifdef WITH_LIBWRAP
+# define TCP_WRAPPERS_CONFIG						      \
+  { "tcp-wrapper-enable", mu_cfg_bool, &mu_tcp_wrapper_enable, NULL,	      \
+    N_("Enable TCP wrapper access control.  Default is \"yes\".") },	      \
+  { "tcp-wrapper-daemon", mu_cfg_string, &mu_tcp_wrapper_daemon, NULL,	      \
+    N_("Set daemon name for TCP wrapper lookups.  Default is program name."), \
+    N_("name") },							      \
+  { "hosts-allow-table", mu_cfg_callback, NULL, mu_tcp_wrapper_cb_hosts_allow,\
+    N_("Use file for positive client address access control "		      \
+       "(default: /etc/hosts.allow)."),					      \
+    N_("file") },							      \
+  { "hosts-deny-table", mu_cfg_callback, NULL, mu_tcp_wrapper_cb_hosts_deny,  \
+    N_("Use file for negative client address access control "		      \
+       "(default: /etc/hosts.deny)."),					      \
+    N_("file") },							      \
+  { "hosts-allow-syslog-level", mu_cfg_callback, NULL,			      \
+    mu_tcp_wrapper_cb_hosts_allow_syslog,				      \
+    N_("Log host allows at this syslog level.  See logging { facility } for " \
+       "a description of argument syntax."),				      \
+    N_("level") },							      \
+  { "hosts-allow-deny-level", mu_cfg_callback, NULL,			      \
+    mu_tcp_wrapper_cb_hosts_deny_syslog,				      \
+    N_("Log host denies at this syslog level.  See logging { facility } for " \
+       "a description of argument syntax."),				      \
+    N_("level") },
+#else
+# define TCP_WRAPPERS_CONFIG
+#endif

@@ -494,7 +494,9 @@ mu_daemon_argp_parser (int key, char *arg, struct argp_state *state)
   switch (key)
     {
     case 'd':
-      mu_argp_node_list_new (&lst, "mode", arg);
+      mu_argp_node_list_new (&lst, "mode", "daemon");
+      if (arg)
+	mu_argp_node_list_new (&lst, "max-children", arg);
       break;
 
     case 'i':

@@ -43,7 +43,8 @@ maidag_LDADD = \
  ${MU_LIB_MAILER}\
  @MU_AUTHLIBS@\
  ${MU_LIB_MAILUTILS} \
- @MU_COMMON_LIBRARIES@
+ @MU_COMMON_LIBRARIES@\
+ @TCPWRAP_LIBRARIES@
 
 install-exec-hook:
 	for i in $(sbin_PROGRAMS); do\

@@ -761,8 +761,8 @@ lmtp_loop (FILE *in, FILE *out)
   return 0;
 }
 
-void
-log_connection (all_addr_t *addr, socklen_t addrlen)
+int
+check_connection (int fd, all_addr_t *addr, socklen_t addrlen)
 {
   switch (addr->sa.sa_family)
     {
@@ -771,8 +771,16 @@ log_connection (all_addr_t *addr, socklen_t addrlen)
       break;
       
     case PF_INET:
-      mu_diag_output (MU_DIAG_INFO, _("connect from %s"), inet_ntoa (addr->s_in.sin_addr));
+      if (!mu_tcpwrapper_access (fd))
+	{
+	  mu_error (_("Access from %s blocked."),
+		    inet_ntoa (addr->s_in.sin_addr));
+	  return 1;
+	}
+      mu_diag_output (MU_DIAG_INFO, _("connect from %s"),
+		      inet_ntoa (addr->s_in.sin_addr));
     }
+  return 0;
 }
 
 int
@@ -837,7 +845,11 @@ lmtp_daemon (char *urlstr)
 	  /*exit (EXIT_FAILURE);*/
 	}
 
-      log_connection (&addr, addrlen);
+      if (check_connection (connfd, &addr, addrlen))
+	{
+	  close (connfd);
+	  continue;
+	}
       
       pid = fork ();
       if (pid == -1)

@@ -179,6 +179,7 @@ parse_opt (int key, char *arg, struct argp_state *state)
 
     case LMTP_OPTION:
       mu_argp_node_list_new (&lst, "lmtp", "yes");
+      if (arg)
 	mu_argp_node_list_new (&lst, "listen", arg);
       break;
 
@@ -289,6 +290,7 @@ struct mu_cfg_param maidag_cfg_param[] = {
     N_("url") },
   { "reuse-address", mu_cfg_bool, &reuse_lmtp_address, NULL,
     N_("Reuse existing address (LMTP mode).  Default is \"yes\".") },
+  TCP_WRAPPERS_CONFIG
   { NULL }
 };
 
@@ -454,6 +456,8 @@ main (int argc, char *argv[])
 
   mu_gocs_register ("sieve", mu_sieve_module_init);
 
+  mu_gocs_daemon = daemon_param;
+  
   /* Parse command line */
   mu_argp_init (program_version, NULL);
   if (mu_app_init (&argp, maidag_argp_capa, maidag_cfg_param, 

@@ -93,6 +93,8 @@
 
 #include "mailutils/libargp.h"
 
+#include "tcpwrap.h"
+
 /* Debug */
 extern int debug_level;
 #define dbg() if (debug_level) debug

@@ -57,7 +57,7 @@ pop3d_LDADD = \
  ${MU_LIB_AUTH}\
  @MU_AUTHLIBS@ \
  ${MU_LIB_MAILUTILS}\
- @MU_COMMON_LIBRARIES@
+ @MU_COMMON_LIBRARIES@ @TCPWRAP_LIBRARIES@
 
 popauth_SOURCES = popauth.c
 popauth_LDADD = ${MU_APP_LIBRARIES} ${MU_LIB_MAILUTILS} @MU_COMMON_LIBRARIES@

@@ -20,6 +20,7 @@
 #include "pop3d.h"
 #include "mailutils/pam.h"
 #include "mailutils/libargp.h"
+#include "tcpwrap.h"
 
 mu_mailbox_t mbox;
 int state;
@@ -61,7 +62,6 @@ static int pop3d_mainloop       (int fd, FILE *, FILE *);
 static void pop3d_daemon_init   (void);
 static void pop3d_daemon        (unsigned int, unsigned int);
 static error_t pop3d_parse_opt  (int key, char *arg, struct argp_state *astate);
-static void pop3d_log_connection (int fd);
 
 const char *program_version = "pop3d (" PACKAGE_STRING ")";
 static char doc[] = N_("GNU pop3d -- the POP3 daemon");
@@ -159,6 +159,7 @@ static struct mu_cfg_param pop3d_cfg_param[] = {
     N_("Set the bulletin database file name."),
     N_("file") },
 #endif
+  TCP_WRAPPERS_CONFIG
   { NULL }
 };
     
@@ -379,26 +380,32 @@ pop3d_daemon_init (void)
 #endif
 }
 
-void
-pop3d_log_connection (int fd)
+int
+pop3d_get_client_address (int fd, struct sockaddr_in *pcs)
 {
   mu_diag_output (MU_DIAG_INFO, _("Incoming connection opened"));
 
-  /* log information on the connecting client */
+  /* log information on the connecting client. */
   if (debug_mode)
     {
       mu_diag_output (MU_DIAG_INFO, _("Started in debugging mode"));
+      return 1;
     }
   else
     {
-      struct sockaddr_in cs;
-      int len = sizeof cs;
-      if (getpeername (fd, (struct sockaddr*)&cs, &len) < 0)
-	mu_diag_output (MU_DIAG_ERROR, _("Cannot obtain IP address of client: %s"),
+      int len = sizeof *pcs;
+      if (getpeername (fd, (struct sockaddr*) pcs, &len) < 0)
+	{
+	  mu_diag_output (MU_DIAG_ERROR,
+			  _("Cannot obtain IP address of client: %s"),
 			  strerror (errno));
+	  return 1;
+	}
       else
-	mu_diag_output (MU_DIAG_INFO, _("connect from %s"), inet_ntoa (cs.sin_addr));
+	mu_diag_output (MU_DIAG_INFO,
+			_("connect from %s"), inet_ntoa (pcs->sin_addr));
     }
+  return 0;
 }
 
 /* The main part of the daemon. This function reads input from the client and
@@ -412,6 +419,21 @@ pop3d_mainloop (int fd, FILE *infile, FILE *outfile)
 {
   int status = OK;
   char buffer[512];
+  struct sockaddr_in cs;
+
+  if (pop3d_get_client_address (fd, &cs) == 0)
+    {
+      if (!mu_tcpwrapper_access (fd))
+	{
+	  mu_error (_("Access from %s blocked."), inet_ntoa (cs.sin_addr));
+	  return 1;
+	}
+    }
+  else if (!debug_mode && mu_tcp_wrapper_enable)
+    {
+      mu_error (_("Rejecting connection from unknown address"));
+      return 1;
+    }
     
   /* Reset hup to exit.  */
   signal (SIGHUP, pop3d_signal);
@@ -422,8 +444,6 @@ pop3d_mainloop (int fd, FILE *infile, FILE *outfile)
 
   state = initial_state;
 
-  pop3d_log_connection (fd);
-
   /* Prepare the shared secret for APOP.  */
   {
     char *local_hostname;