* configure.ac: Add TCP wrappers support.

* imap4d/Makefile.am, mu_daemon_argp_parser (LDADD): Add
TCPWRAP_LIBRARIES.
* imap4d/imap4d.c: Include tcpwrap.h
(imap4d_mainloop): Check the connection using tcp wrappers.
* imap4d/preauth.c: Fix a typo in the comment.
* maidag/maidag.h: Include tcpwrap.h
* maidag/maidag.c, maidag/lmtp.c: Add TCP wrappers support.
* pop3d/pop3d.c: Include tcpwrap.h
(pop3d_mainloop): Check the connection using tcp wrappers.
* lib/Makefile.am: Add tcpwrap.c and tcpwrap.h
* lib/tcpwrap.c: New file.
* lib/tcpwrap.h: New file.
* libargp/common.c (mu_daemon_argp_parser): Bugfix.

+2007-12-05  Sergey Poznyakoff  <gray@gnu.org.ua>
+
+	* configure.ac: Add TCP wrappers support.
+	* imap4d/Makefile.am, mu_daemon_argp_parser (LDADD): Add
+	TCPWRAP_LIBRARIES. 
+	* imap4d/imap4d.c: Include tcpwrap.h
+	(imap4d_mainloop): Check the connection using tcp wrappers.
+	* imap4d/preauth.c: Fix a typo in the comment.
+	* maidag/maidag.h: Include tcpwrap.h
+	* maidag/maidag.c, maidag/lmtp.c: Add TCP wrappers support.
+	* pop3d/pop3d.c: Include tcpwrap.h
+	(pop3d_mainloop): Check the connection using tcp wrappers.
+	* lib/Makefile.am: Add tcpwrap.c and tcpwrap.h
+	* lib/tcpwrap.c: New file.
+	* lib/tcpwrap.h: New file.
+	* libargp/common.c (mu_daemon_argp_parser): Bugfix.
+
 2007-12-04  Sergey Poznyakoff  <gray@gnu.org.ua>
 2007-12-04  Sergey Poznyakoff  <gray@gnu.org.ua>
 
 
 	II. Extend --config-help output.  Each configuration parameter
 	II. Extend --config-help output.  Each configuration parameter

-GNU mailutils NEWS -- history of user-visible changes. 2007-12-03
+GNU mailutils NEWS -- history of user-visible changes. 2007-12-05
 Copyright (C) 2002, 2003, 2004, 2005, 2006, 2007 Free Software Foundation, Inc.
 Copyright (C) 2002, 2003, 2004, 2005, 2006, 2007 Free Software Foundation, Inc.
 See the end of file for copying conditions.
 See the end of file for copying conditions.
 
 
@@ -9,7 +9,86 @@ Version 1.2.90:
 
 
 * New configuration file format.
 * New configuration file format.
 
 
-* Diagnostic and debugging functions essentially rewritten.
+* Programs
+
+** Debugging and online help
+
+Each Mailutils utility understands two additional command line
+options:
+
+ --debug-level=LEVEL    Set Mailutils debugging level.
+ --debug-line-info      Show source info with debugging messages.
+
+(see also `** Global debugging and verbosity settings.', below)
+
+The programs using configuration file facility also understand the
+--config-help command line option.  This option prints on the standard
+output the detailed description of configuration file statements that
+affect the given program.
+
+** New utility `maidag'
+
+Maidag is a MAIl Delivery AGent. It is a general-purpose MDA able to
+run in both traditional and LMTP mode and to deliver mails to various
+mailbox formats. It is also able to process incoming messages using
+Sieve or Scheme scripts and, based on results of this processing,
+to take a decision on whether to actually deliver and where to
+deliver them.
+
+** New Sieve action `pipe'
+
+Syntax: pipe [:envelope] <command line: string> 
+
+This action executes the given <command line> and pipes the message to
+its standard input. If the :envelope tag is given, the envelope of the
+message is piped as well.
+
+** Client SMTP STARTTLS support
+
+** Support for new protocols: POPS (pops://) and IMAPS (imaps://),
+
+** LDAP support (authentication and authorization).
+
+** Support for TCP wrappers.
+
+The support for TCP wrappers is added to the daemon programs (imap4d,
+pop3d, maidag). The support is controlled at compile time by the
+--with-tcpwrappers command line options to configure. By default, it
+is enabled if libwrap presence is detected. A set of configuration
+file statements are provided for fine tuning TCP wrappers at run-time.
+
+** pop3d: Fixed APOP handling.
+
+** imap4d supports PREAUTH mode.
+
+Three mechanisms are provided for authentifying the connection in
+PREAUTH mode:
+
+ 1. stdio - PREAUTH mode is enabled automatically if imap4d is started
+    from command line in interactive mode (-i command line
+    option). The current login name is used as the user name.
+
+ 2. ident - The remote machine is asked about the requester identity
+    using the identification protocol (RFC 1413). Both plaintext and
+    DES encrypted replies are understood.
+
+ 3. prog - Imap4d invokes an external program to authenticate the
+    connection. Four arguments are supplied to the program:
+
+      1) Remote IP address in dotted-quad notation;
+      2) Remote port number;
+      3) Local IP address (currently "0.0.0.0");
+      4) Local port number.
+
+    If the connection is authenticated, the program should print the
+    user name, followed by a newline character, on its standard
+    output and exit with code 0.
+
+    Otherwise, it shoud exit with a non-zero exit code.
+    
+* Libraries
+
+** Diagnostic and debugging functions essentially rewritten.
 
 
 A set of debugging macros, MU_DEBUG0 through MU_DEBUG11, is provided.
 A set of debugging macros, MU_DEBUG0 through MU_DEBUG11, is provided.
 New functions mu_debug_printf and mu_debug_vprintf allow for flexible
 New functions mu_debug_printf and mu_debug_vprintf allow for flexible
@@ -43,7 +122,7 @@ approach is recommended to use instead of mu_error_set_print:
       mu_diag_get_debug (&debug);
       mu_diag_get_debug (&debug);
       mu_debug_set_print (debug, new_printer, NULL);
       mu_debug_set_print (debug, new_printer, NULL);
 
 
-* Global debugging and verbosity settings.
+** Global debugging and verbosity settings.
 
 
 These settings provide default values for mu_debug_t objects created
 These settings provide default values for mu_debug_t objects created
 by various library objects. The following functions are provided for
 by various library objects. The following functions are provided for
@@ -53,27 +132,12 @@ dealing with global debugging level:
    int mu_global_debug_set_level (const char *object_name, unsigned level);
    int mu_global_debug_set_level (const char *object_name, unsigned level);
    int mu_global_debug_clear_level (const char *object_name);
    int mu_global_debug_clear_level (const char *object_name);
 
 
-Each Mailutils utility understands two additional command line
-options:
-
- --debug-level=LEVEL    Set Mailutils debugging level.
- --debug-line-info      Show source info with debugging messages.
-      
-* New utility `maidag'
-
-Maidag is a MAIl Delivery AGent. It is a general-purpose MDA able to
-run in both traditional and LMTP mode and to deliver mails to various
-mailbox formats. It is also able to process incoming messages using
-Sieve or Scheme scripts and, based on results of this processing,
-to take a decision on whether to actually deliver and where to
-deliver them.
-
-* New function mu_mailbox_sync
+** New function mu_mailbox_sync
 
 
 It supercedes mu_mailbox_save_attributes, which is now considered
 It supercedes mu_mailbox_save_attributes, which is now considered
 deprecated.
 deprecated.
 
 
-* Observable event handling
+** Observable event handling
 
 
 Each event type is associated with an event-specific data
 Each event type is associated with an event-specific data
 pointer. This pointer is passed to event handling functions along with
 pointer. This pointer is passed to event handling functions along with
@@ -92,14 +156,6 @@ message is appended to the mailbox.
 A set of functions are provided for so-called `quick access' to mail
 A set of functions are provided for so-called `quick access' to mail
 messages. FIXME: describe it.
 messages. FIXME: describe it.
 
 
-* New Sieve action `pipe'
-
-Syntax: pipe [:envelope] <command line: string> 
-
-This action executes the given <command line> and pipes the message to
-its standard input. If the :envelope tag is given, the envelope of the
-message is piped as well.
-
 * New `aget' and `sget' accessors for mu_url_t
 * New `aget' and `sget' accessors for mu_url_t
 
 
 The following new accessors are provided:
 The following new accessors are provided:
@@ -138,41 +194,6 @@ It is parsed as an absolute file name `/a/b'.
 Previous versions incorrectly understood such an URL as `a/b'
 Previous versions incorrectly understood such an URL as `a/b'
 (relative file name). 
 (relative file name). 
 
 
-* Client SMTP STARTTLS support
-
-* Support for new protocols: POPS (pops://) and IMAPS (imaps://),
-
-* LDAP support (authentication and authorization).
-
-* Fixed APOP handling.
-
-* imap4d supports PREAUTH mode.
-
-Three mechanisms are provided for authentifying the connection in
-PREAUTH mode:
-
- 1. stdio - PREAUTH mode is enabled automatically if imap4d is started
-    from command line in interactive mode (-i command line
-    option). The current login name is used as the user name.
-
- 2. ident - The remote machine is asked about the requester identity
-    using the identification protocol (RFC 1413). Both plaintext and
-    DES encrypted replies are understood.
-
- 3. prog - Imap4d invokes an external program to authenticate the
-    connection. Four arguments are supplied to the program:
-
-      1) Remote IP address in dotted-quad notation;
-      2) Remote port number;
-      3) Local IP address (currently "0.0.0.0");
-      4) Local port number.
-
-    If the connection is authenticated, the program should print the
-    user name, followed by a newline character, on its standard
-    output and exit with code 0.
-
-    Otherwise, it shoud exit with a non-zero exit code.
-
 * Remove v0.6 compatibility layer.
 * Remove v0.6 compatibility layer.
 
 
 
 

@@ -75,6 +75,7 @@ status_gsasl=no
 status_mysql=no
 status_mysql=no
 status_pgsql=no
 status_pgsql=no
 status_ldap=no
 status_ldap=no
+status_tcpwrap=maybe
 
 
 dnl Internationalization macros.
 dnl Internationalization macros.
 AM_GNU_GETTEXT([external], [need-ngettext])
 AM_GNU_GETTEXT([external], [need-ngettext])
@@ -148,6 +149,43 @@ case "${enableval}" in
   *)   AC_MSG_ERROR([bad value ${enableval} for --disable-pam]) ;;
   *)   AC_MSG_ERROR([bad value ${enableval} for --disable-pam]) ;;
 esac],[testpam=yes])
 esac],[testpam=yes])
 
 
+AC_ARG_WITH(tcp-wrappers,
+	AC_HELP_STRING([--with-tcp-wrappers],
+	               [compile with TCP wrappers (libwrap) support]),
+	[status_tcpwrap=${withval}],
+	[status_tcpwrap=maybe])
+
+saved_LIBS=$LIBS
+TCPWRAP_LIBRARIES=
+case $status_tcpwrap in
+ yes) AC_CHECK_LIB(wrap, main,,
+                   [AC_MSG_ERROR([Required library libwrap not found])])
+      AC_CHECK_LIB(nsl, main,
+                   [TCPWRAP_LIBRARIES=-lnsl])
+      AC_CHECK_HEADERS(tcpd.h,,
+                       [AC_MSG_ERROR([Required header tcpd.h not found])])
+      status_tcpwrap=yes
+      ;;
+
+ maybe)
+      AC_CHECK_LIB(wrap, main,
+                   [status_tcpwrap=yes],
+                   [status_tcpwrap=no])
+      AC_CHECK_LIB(nsl, main, [TCPWRAP_LIBRARIES=-lnsl])
+      AC_CHECK_HEADERS(tcpd.h,
+                       [status_tcpwrap=yes],
+                       [status_tcpwrap=no])
+      ;;
+ no)  ;;
+esac
+LIBS=$saved_LIBS
+
+if test "$status_tcpwrap" = "yes"; then
+  AC_SUBST(TCPWRAP_LIBRARIES, "$TCPWRAP_LIBRARIES -lwrap")
+  AC_DEFINE_UNQUOTED(WITH_LIBWRAP, 1,
+                     [Define to 1 to use tcp wrappers.])
+fi
+
 AC_ARG_ENABLE([pthread],
 AC_ARG_ENABLE([pthread],
               AC_HELP_STRING([--disable-pthread],
               AC_HELP_STRING([--disable-pthread],
                              [disable pthread]),
                              [disable pthread]),
@@ -1070,6 +1108,7 @@ Use GNU TLS.................... $status_gnutls
 Use GSASL...................... $status_gsasl
 Use GSASL...................... $status_gsasl
 Use GSSAPI..................... $status_gssapi
 Use GSSAPI..................... $status_gssapi
 Use Guile...................... $status_guile
 Use Guile...................... $status_guile
+Use TCP wrappers............... $status_tcpwrap
 Pthread support................ $status_pthread
 Pthread support................ $status_pthread
 Readline support............... $status_readline
 Readline support............... $status_readline
 MySQL support.................. $status_mysql
 MySQL support.................. $status_mysql
@@ -1104,6 +1143,7 @@ status_gnutls=$WITH_GNUTLS
 status_gsasl=$status_gsasl
 status_gsasl=$status_gsasl
 status_gssapi=$WITH_GSSAPI
 status_gssapi=$WITH_GSSAPI
 status_guile=$useguile
 status_guile=$useguile
+status_tcpwrap=$status_tcpwrap
 status_pthread=$usepthread
 status_pthread=$usepthread
 status_readline=$usereadline
 status_readline=$usereadline
 status_mysql=$status_mysql
 status_mysql=$status_mysql

@@ -70,7 +70,7 @@ imap4d_LDADD = \
  ${MU_LIB_AUTH}\
  ${MU_LIB_AUTH}\
  @MU_AUTHLIBS@ \
  @MU_AUTHLIBS@ \
  ${MU_LIB_MAILUTILS}\
  ${MU_LIB_MAILUTILS}\
- @SERV_AUTHLIBS@ @MU_COMMON_LIBRARIES@
+ @SERV_AUTHLIBS@ @MU_COMMON_LIBRARIES@ @TCPWRAP_LIBRARIES@
 
 
 ## This kludge is necessary to correctly establish imap4d -> IMAP_AUTHOBJS
 ## This kludge is necessary to correctly establish imap4d -> IMAP_AUTHOBJS
 ## and imap4d -> MU_AUTHLIBS dependencies. Automake stupidly refuses to 
 ## and imap4d -> MU_AUTHLIBS dependencies. Automake stupidly refuses to 

@@ -22,11 +22,11 @@
 # include <mailutils/gsasl.h>
 # include <mailutils/gsasl.h>
 #endif
 #endif
 #include "mailutils/libargp.h"
 #include "mailutils/libargp.h"
+#include "tcpwrap.h"
 
 
 mu_mailbox_t mbox;
 mu_mailbox_t mbox;
 char *homedir;
 char *homedir;
 int state = STATE_NONAUTH;
 int state = STATE_NONAUTH;
-int debug_mode = 0;
 struct mu_auth_data *auth_data;
 struct mu_auth_data *auth_data;
 
 
 struct mu_gocs_daemon default_gocs_daemon = {
 struct mu_gocs_daemon default_gocs_daemon = {
@@ -299,7 +299,8 @@ static struct mu_cfg_param imap4d_cfg_param[] = {
   { "ident-keyfile", mu_cfg_string, &ident_keyfile, NULL,
   { "ident-keyfile", mu_cfg_string, &ident_keyfile, NULL,
     N_("Name of DES keyfile for decoding ecrypted ident responses.") },
     N_("Name of DES keyfile for decoding ecrypted ident responses.") },
   { "ident-entrypt-only", mu_cfg_bool, &ident_encrypt_only, NULL,
   { "ident-entrypt-only", mu_cfg_bool, &ident_encrypt_only, NULL,
-    N_("Use only ecrypted ident responses.") },
+    N_("Use only encrypted ident responses.") },
+  TCP_WRAPPERS_CONFIG
   { NULL }
   { NULL }
 };
 };
     
     
@@ -343,12 +344,7 @@ main (int argc, char **argv)
     mu_pam_service = "gnu-imap4d";
     mu_pam_service = "gnu-imap4d";
 #endif
 #endif
 
 
-  if (mu_gocs_daemon.mode == MODE_INTERACTIVE)
-    {
-      if (preauth_mode != preauth_stdio)
-	debug_mode = 1;
-    }
-  else
+  if (mu_gocs_daemon.mode == MODE_DAEMON)
     {
     {
       /* Normal operation: */
       /* Normal operation: */
       /* First we want our group to be mail so we can access the spool.  */
       /* First we want our group to be mail so we can access the spool.  */
@@ -457,25 +453,66 @@ imap4d_session_setup (char *username)
   return imap4d_session_setup0 ();
   return imap4d_session_setup0 ();
 }
 }
 
 
+int
+get_client_address (int fd, struct sockaddr_in *pcs)
+{
+  int len = sizeof *pcs;
+
+  if (getpeername (fd, (struct sockaddr *) pcs, &len) < 0)
+    {
+      mu_diag_output (MU_DIAG_ERROR,
+		      _("Cannot obtain IP address of client: %s"),
+		      strerror (errno));
+      return 1;
+    }
+
+  mu_diag_output (MU_DIAG_INFO, _("Connect from %s"), 
+		  inet_ntoa (pcs->sin_addr));
+  return 0;
+}
+
 static int
 static int
 imap4d_mainloop (int fd, FILE *infile, FILE *outfile)
 imap4d_mainloop (int fd, FILE *infile, FILE *outfile)
 {
 {
   char *text;
   char *text;
+  struct sockaddr_in cs;
+  int debug_mode = isatty (fd);
 
 
-  /* Reset hup to exit.  */
+  mu_diag_output (MU_DIAG_INFO, _("Incoming connection opened"));
+  if (!debug_mode)
+    {
+      if (get_client_address (fd, &cs) == 0) 
+	{
+	  if (!mu_tcpwrapper_access (fd))
+	    {
+	      mu_error (_("Access from %s blocked."), inet_ntoa (cs.sin_addr));
+	      return 1;
+	    }
+	}
+      else if (mu_tcp_wrapper_enable)
+	{
+	  mu_error (_("Rejecting connection from unknown address"));
+	  return 1;
+	}
+    }
+  
+  /* Reset hup to exit. */
   signal (SIGHUP, imap4d_signal);
   signal (SIGHUP, imap4d_signal);
-  /* Timeout alarm.  */
+  /* Timeout alarm. */
   signal (SIGALRM, imap4d_signal);
   signal (SIGALRM, imap4d_signal);
 
 
   util_setio (infile, outfile);
   util_setio (infile, outfile);
 
 
-  if (debug_mode)
+  if (imap4d_preauth_setup (fd) == 0)
     {
     {
-      mu_diag_output (MU_DIAG_INFO, _("Started in debugging mode"));
-      text = "IMAP4rev1 Debugging mode";
+      if (debug_mode)
+	{
+	  mu_diag_output (MU_DIAG_INFO, _("Started in debugging mode"));
+	  text = "IMAP4rev1 Debugging mode";
+	}
+      else
+	text = "IMAP4rev1";
     }
     }
-  else if (imap4d_preauth_setup (fd) == 0)
-    text = "IMAP4rev1";
   else
   else
     {
     {
       util_flush_output ();
       util_flush_output ();
@@ -546,7 +583,7 @@ imap4d_daemon (unsigned int maxchildren, unsigned int port)
       mu_diag_output (MU_DIAG_ERROR, "socket: %s", strerror (errno));
       mu_diag_output (MU_DIAG_ERROR, "socket: %s", strerror (errno));
       exit (1);
       exit (1);
     }
     }
-  size = 1;			/* Use size here to avoid making a new variable.  */
+  size = 1;	      /* Use size here to avoid making a new variable.  */
   setsockopt (listenfd, SOL_SOCKET, SO_REUSEADDR, &size, sizeof (size));
   setsockopt (listenfd, SOL_SOCKET, SO_REUSEADDR, &size, sizeof (size));
   size = sizeof (server);
   size = sizeof (server);
   memset (&server, 0, size);
   memset (&server, 0, size);
@@ -593,10 +630,14 @@ imap4d_daemon (unsigned int maxchildren, unsigned int port)
       else if (pid == 0)	/* Child.  */
       else if (pid == 0)	/* Child.  */
 	{
 	{
 	  int status;
 	  int status;
+	  
 	  close (listenfd);
 	  close (listenfd);
+
 	  status = imap4d_mainloop (connfd,
 	  status = imap4d_mainloop (connfd,
 				    fdopen (connfd, "r"),
 				    fdopen (connfd, "r"),
 				    fdopen (connfd, "w"));
 				    fdopen (connfd, "w"));
+	    
+	  close (connfd);
 	  closelog ();
 	  closelog ();
 	  exit (status);
 	  exit (status);
 	}
 	}

@@ -40,7 +40,7 @@ do_preauth_stdio (struct sockaddr_in *pcs)
    
    
       "%*[^:]: USERID :%*[^:]:%s"
       "%*[^:]: USERID :%*[^:]:%s"
 
 
-   returns a malloced copy of the %s part.  Otherwise, return NULL. */
+   returns a mallocked copy of the %s part.  Otherwise, return NULL. */
 
 
 static char *
 static char *
 ident_extract_username (char *reply)
 ident_extract_username (char *reply)
@@ -440,14 +440,10 @@ imap4d_preauth_setup (int fd)
   int len = sizeof cs;
   int len = sizeof cs;
   char *username = NULL;
   char *username = NULL;
 
 
-  mu_diag_output (MU_DIAG_INFO, _("Incoming connection opened"));
   if (getpeername (fd, (struct sockaddr *) &cs, &len) < 0)
   if (getpeername (fd, (struct sockaddr *) &cs, &len) < 0)
     mu_diag_output (MU_DIAG_ERROR,
     mu_diag_output (MU_DIAG_ERROR,
 		    _("Cannot obtain IP address of client: %s"),
 		    _("Cannot obtain IP address of client: %s"),
 		    strerror (errno));
 		    strerror (errno));
-  else
-    mu_diag_output (MU_DIAG_INFO, _("Connect from %s"), 
-		    inet_ntoa (cs.sin_addr));
 
 
   auth_data = NULL;
   auth_data = NULL;
   switch (preauth_mode)
   switch (preauth_mode)

@@ -25,12 +25,14 @@ INCLUDES = @MU_COMMON_INCLUDES@
 libmuaux_la_SOURCES += \
 libmuaux_la_SOURCES += \
  daemon.c\
  daemon.c\
  mailcap.c\
  mailcap.c\
- mailcap.h\
- mu_dbm.c
+ mu_dbm.c\
+ tcpwrap.c
 
 
 noinst_HEADERS +=\
 noinst_HEADERS +=\
+ mailcap.h\
  mu_dbm.h\
  mu_dbm.h\
- mu_asprintf.h
+ mu_asprintf.h\
+ tcpwrap.h
 
 
 EXTRA_DIST += utmp.c
 EXTRA_DIST += utmp.c
 gl_LIBOBJS += @LIBOBJS@
 gl_LIBOBJS += @LIBOBJS@

+/* GNU Mailutils -- a suite of utilities for electronic mail
+   Copyright (C) 1999, 2001, 2002, 2003, 2004, 
+   2005, 2006, 2007 Free Software Foundation, Inc.
+
+   GNU Mailutils is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3, or (at your option)
+   any later version.
+
+   GNU Mailutils is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with GNU Mailutils; if not, write to the Free Software
+   Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+   MA 02110-1301 USA */
+
+#ifdef HAVE_CONFIG_H
+# include <config.h>
+#endif
+#include <syslog.h>
+#include <string.h>
+#include <mailutils/debug.h>
+#include <mailutils/nls.h>
+#include <mailutils/syslog.h>
+#include <mailutils/cfg.h>
+#include <mailutils/diag.h>
+
+int mu_tcp_wrapper_enable = 1;
+char *mu_tcp_wrapper_daemon;
+
+#ifdef WITH_LIBWRAP
+# include <tcpd.h>
+int deny_severity = LOG_INFO;
+int allow_severity = LOG_INFO;
+
+int
+mu_tcp_wrapper_cb_hosts_allow (mu_debug_t debug, void *data, char *arg)
+{
+  hosts_allow_table = strdup (arg);
+  return 0;
+}
+
+int
+mu_tcp_wrapper_cb_hosts_deny (mu_debug_t debug, void *data, char *arg)
+{
+  hosts_deny_table = strdup (arg);
+  return 0;
+}
+
+int
+mu_tcp_wrapper_cb_hosts_allow_syslog (mu_debug_t debug, void *data,
+				      char *arg)
+{
+  if (mu_string_to_syslog_facility (arg, &allow_severity))
+    mu_cfg_format_error (debug, MU_DEBUG_ERROR, 
+			 _("Unknown syslog facility `%s'"), 
+			 arg);
+  return 0;
+}
+
+int
+mu_tcp_wrapper_cb_hosts_deny_syslog (mu_debug_t debug, void *data, char *arg)
+{
+  if (mu_string_to_syslog_facility (arg, &deny_severity))
+    mu_cfg_format_error (debug, MU_DEBUG_ERROR, 
+			 _("Unknown syslog facility `%s'"), 
+			 arg);
+  return 0;
+}
+
+int
+mu_tcpwrapper_access (int fd)
+{
+  struct request_info req;
+
+  if (!mu_tcp_wrapper_enable)
+    return 1;
+  request_init (&req,
+		RQ_DAEMON,
+		mu_tcp_wrapper_daemon ?
+		     mu_tcp_wrapper_daemon : mu_program_name,
+		RQ_FILE, fd, NULL);
+  fromhost (&req);
+  return hosts_access (&req);
+}
+
+#else
+
+int
+mu_tcpwrapper_access (int fd)
+{
+  return 1;
+}
+
+#endif

+/* GNU Mailutils -- a suite of utilities for electronic mail
+   Copyright (C) 1999, 2001, 2002, 2003, 2004, 
+   2005, 2006, 2007 Free Software Foundation, Inc.
+
+   GNU Mailutils is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3, or (at your option)
+   any later version.
+
+   GNU Mailutils is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with GNU Mailutils; if not, write to the Free Software
+   Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+   MA 02110-1301 USA */
+
+#include <mailutils/types.h>
+
+extern int mu_tcp_wrapper_enable;
+const char *mu_tcp_wrapper_daemon;
+extern int mu_tcp_wrapper_cb_hosts_allow (mu_debug_t debug, void *data,
+					  char *arg);
+extern int mu_tcp_wrapper_cb_hosts_deny (mu_debug_t debug, void *data,
+					 char *arg);
+extern int mu_tcp_wrapper_cb_hosts_allow_syslog (mu_debug_t debug, void *data,
+						 char *arg);
+extern int mu_tcp_wrapper_cb_hosts_deny_syslog (mu_debug_t debug, void *data,
+						char *arg);
+extern int mu_tcpwrapper_access (int fd);
+
+#ifdef WITH_LIBWRAP
+# define TCP_WRAPPERS_CONFIG						      \
+  { "tcp-wrapper-enable", mu_cfg_bool, &mu_tcp_wrapper_enable, NULL,	      \
+    N_("Enable TCP wrapper access control.  Default is \"yes\".") },	      \
+  { "tcp-wrapper-daemon", mu_cfg_string, &mu_tcp_wrapper_daemon, NULL,	      \
+    N_("Set daemon name for TCP wrapper lookups.  Default is program name."), \
+    N_("name") },							      \
+  { "hosts-allow-table", mu_cfg_callback, NULL, mu_tcp_wrapper_cb_hosts_allow,\
+    N_("Use file for positive client address access control "		      \
+       "(default: /etc/hosts.allow)."),					      \
+    N_("file") },							      \
+  { "hosts-deny-table", mu_cfg_callback, NULL, mu_tcp_wrapper_cb_hosts_deny,  \
+    N_("Use file for negative client address access control "		      \
+       "(default: /etc/hosts.deny)."),					      \
+    N_("file") },							      \
+  { "hosts-allow-syslog-level", mu_cfg_callback, NULL,			      \
+    mu_tcp_wrapper_cb_hosts_allow_syslog,				      \
+    N_("Log host allows at this syslog level.  See logging { facility } for " \
+       "a description of argument syntax."),				      \
+    N_("level") },							      \
+  { "hosts-allow-deny-level", mu_cfg_callback, NULL,			      \
+    mu_tcp_wrapper_cb_hosts_deny_syslog,				      \
+    N_("Log host denies at this syslog level.  See logging { facility } for " \
+       "a description of argument syntax."),				      \
+    N_("level") },
+#else
+# define TCP_WRAPPERS_CONFIG
+#endif

@@ -494,7 +494,9 @@ mu_daemon_argp_parser (int key, char *arg, struct argp_state *state)
   switch (key)
   switch (key)
     {
     {
     case 'd':
     case 'd':
-      mu_argp_node_list_new (&lst, "mode", arg);
+      mu_argp_node_list_new (&lst, "mode", "daemon");
+      if (arg)
+	mu_argp_node_list_new (&lst, "max-children", arg);
       break;
       break;
 
 
     case 'i':
     case 'i':

@@ -43,7 +43,8 @@ maidag_LDADD = \
  ${MU_LIB_MAILER}\
  ${MU_LIB_MAILER}\
  @MU_AUTHLIBS@\
  @MU_AUTHLIBS@\
  ${MU_LIB_MAILUTILS} \
  ${MU_LIB_MAILUTILS} \
- @MU_COMMON_LIBRARIES@
+ @MU_COMMON_LIBRARIES@\
+ @TCPWRAP_LIBRARIES@
 
 
 install-exec-hook:
 install-exec-hook:
 	for i in $(sbin_PROGRAMS); do\
 	for i in $(sbin_PROGRAMS); do\

@@ -761,8 +761,8 @@ lmtp_loop (FILE *in, FILE *out)
   return 0;
   return 0;
 }
 }
 
 
-void
-log_connection (all_addr_t *addr, socklen_t addrlen)
+int
+check_connection (int fd, all_addr_t *addr, socklen_t addrlen)
 {
 {
   switch (addr->sa.sa_family)
   switch (addr->sa.sa_family)
     {
     {
@@ -771,8 +771,16 @@ log_connection (all_addr_t *addr, socklen_t addrlen)
       break;
       break;
       
       
     case PF_INET:
     case PF_INET:
-      mu_diag_output (MU_DIAG_INFO, _("connect from %s"), inet_ntoa (addr->s_in.sin_addr));
+      if (!mu_tcpwrapper_access (fd))
+	{
+	  mu_error (_("Access from %s blocked."),
+		    inet_ntoa (addr->s_in.sin_addr));
+	  return 1;
+	}
+      mu_diag_output (MU_DIAG_INFO, _("connect from %s"),
+		      inet_ntoa (addr->s_in.sin_addr));
     }
     }
+  return 0;
 }
 }
 
 
 int
 int
@@ -837,7 +845,11 @@ lmtp_daemon (char *urlstr)
 	  /*exit (EXIT_FAILURE);*/
 	  /*exit (EXIT_FAILURE);*/
 	}
 	}
 
 
-      log_connection (&addr, addrlen);
+      if (check_connection (connfd, &addr, addrlen))
+	{
+	  close (connfd);
+	  continue;
+	}
       
       
       pid = fork ();
       pid = fork ();
       if (pid == -1)
       if (pid == -1)

@@ -179,7 +179,8 @@ parse_opt (int key, char *arg, struct argp_state *state)
 
 
     case LMTP_OPTION:
     case LMTP_OPTION:
       mu_argp_node_list_new (&lst, "lmtp", "yes");
       mu_argp_node_list_new (&lst, "lmtp", "yes");
-      mu_argp_node_list_new (&lst, "listen", arg);
+      if (arg)
+	mu_argp_node_list_new (&lst, "listen", arg);
       break;
       break;
 
 
     case 'r':
     case 'r':
@@ -289,6 +290,7 @@ struct mu_cfg_param maidag_cfg_param[] = {
     N_("url") },
     N_("url") },
   { "reuse-address", mu_cfg_bool, &reuse_lmtp_address, NULL,
   { "reuse-address", mu_cfg_bool, &reuse_lmtp_address, NULL,
     N_("Reuse existing address (LMTP mode).  Default is \"yes\".") },
     N_("Reuse existing address (LMTP mode).  Default is \"yes\".") },
+  TCP_WRAPPERS_CONFIG
   { NULL }
   { NULL }
 };
 };
 
 
@@ -453,6 +455,8 @@ main (int argc, char *argv[])
   mu_registrar_record (mu_smtp_record);
   mu_registrar_record (mu_smtp_record);
 
 
   mu_gocs_register ("sieve", mu_sieve_module_init);
   mu_gocs_register ("sieve", mu_sieve_module_init);
+
+  mu_gocs_daemon = daemon_param;
   
   
   /* Parse command line */
   /* Parse command line */
   mu_argp_init (program_version, NULL);
   mu_argp_init (program_version, NULL);

@@ -93,6 +93,8 @@
 
 
 #include "mailutils/libargp.h"
 #include "mailutils/libargp.h"
 
 
+#include "tcpwrap.h"
+
 /* Debug */
 /* Debug */
 extern int debug_level;
 extern int debug_level;
 #define dbg() if (debug_level) debug
 #define dbg() if (debug_level) debug

@@ -57,7 +57,7 @@ pop3d_LDADD = \
  ${MU_LIB_AUTH}\
  ${MU_LIB_AUTH}\
  @MU_AUTHLIBS@ \
  @MU_AUTHLIBS@ \
  ${MU_LIB_MAILUTILS}\
  ${MU_LIB_MAILUTILS}\
- @MU_COMMON_LIBRARIES@
+ @MU_COMMON_LIBRARIES@ @TCPWRAP_LIBRARIES@
 
 
 popauth_SOURCES = popauth.c
 popauth_SOURCES = popauth.c
 popauth_LDADD = ${MU_APP_LIBRARIES} ${MU_LIB_MAILUTILS} @MU_COMMON_LIBRARIES@
 popauth_LDADD = ${MU_APP_LIBRARIES} ${MU_LIB_MAILUTILS} @MU_COMMON_LIBRARIES@

@@ -20,6 +20,7 @@
 #include "pop3d.h"
 #include "pop3d.h"
 #include "mailutils/pam.h"
 #include "mailutils/pam.h"
 #include "mailutils/libargp.h"
 #include "mailutils/libargp.h"
+#include "tcpwrap.h"
 
 
 mu_mailbox_t mbox;
 mu_mailbox_t mbox;
 int state;
 int state;
@@ -61,7 +62,6 @@ static int pop3d_mainloop       (int fd, FILE *, FILE *);
 static void pop3d_daemon_init   (void);
 static void pop3d_daemon_init   (void);
 static void pop3d_daemon        (unsigned int, unsigned int);
 static void pop3d_daemon        (unsigned int, unsigned int);
 static error_t pop3d_parse_opt  (int key, char *arg, struct argp_state *astate);
 static error_t pop3d_parse_opt  (int key, char *arg, struct argp_state *astate);
-static void pop3d_log_connection (int fd);
 
 
 const char *program_version = "pop3d (" PACKAGE_STRING ")";
 const char *program_version = "pop3d (" PACKAGE_STRING ")";
 static char doc[] = N_("GNU pop3d -- the POP3 daemon");
 static char doc[] = N_("GNU pop3d -- the POP3 daemon");
@@ -159,6 +159,7 @@ static struct mu_cfg_param pop3d_cfg_param[] = {
     N_("Set the bulletin database file name."),
     N_("Set the bulletin database file name."),
     N_("file") },
     N_("file") },
 #endif
 #endif
+  TCP_WRAPPERS_CONFIG
   { NULL }
   { NULL }
 };
 };
     
     
@@ -379,26 +380,32 @@ pop3d_daemon_init (void)
 #endif
 #endif
 }
 }
 
 
-void
-pop3d_log_connection (int fd)
+int
+pop3d_get_client_address (int fd, struct sockaddr_in *pcs)
 {
 {
   mu_diag_output (MU_DIAG_INFO, _("Incoming connection opened"));
   mu_diag_output (MU_DIAG_INFO, _("Incoming connection opened"));
 
 
-  /* log information on the connecting client */
+  /* log information on the connecting client. */
   if (debug_mode)
   if (debug_mode)
     {
     {
       mu_diag_output (MU_DIAG_INFO, _("Started in debugging mode"));
       mu_diag_output (MU_DIAG_INFO, _("Started in debugging mode"));
+      return 1;
     }
     }
   else
   else
     {
     {
-      struct sockaddr_in cs;
-      int len = sizeof cs;
-      if (getpeername (fd, (struct sockaddr*)&cs, &len) < 0)
-	mu_diag_output (MU_DIAG_ERROR, _("Cannot obtain IP address of client: %s"),
-		strerror (errno));
+      int len = sizeof *pcs;
+      if (getpeername (fd, (struct sockaddr*) pcs, &len) < 0)
+	{
+	  mu_diag_output (MU_DIAG_ERROR,
+			  _("Cannot obtain IP address of client: %s"),
+			  strerror (errno));
+	  return 1;
+	}
       else
       else
-	mu_diag_output (MU_DIAG_INFO, _("connect from %s"), inet_ntoa (cs.sin_addr));
+	mu_diag_output (MU_DIAG_INFO,
+			_("connect from %s"), inet_ntoa (pcs->sin_addr));
     }
     }
+  return 0;
 }
 }
 
 
 /* The main part of the daemon. This function reads input from the client and
 /* The main part of the daemon. This function reads input from the client and
@@ -412,7 +419,22 @@ pop3d_mainloop (int fd, FILE *infile, FILE *outfile)
 {
 {
   int status = OK;
   int status = OK;
   char buffer[512];
   char buffer[512];
+  struct sockaddr_in cs;
 
 
+  if (pop3d_get_client_address (fd, &cs) == 0)
+    {
+      if (!mu_tcpwrapper_access (fd))
+	{
+	  mu_error (_("Access from %s blocked."), inet_ntoa (cs.sin_addr));
+	  return 1;
+	}
+    }
+  else if (!debug_mode && mu_tcp_wrapper_enable)
+    {
+      mu_error (_("Rejecting connection from unknown address"));
+      return 1;
+    }
+    
   /* Reset hup to exit.  */
   /* Reset hup to exit.  */
   signal (SIGHUP, pop3d_signal);
   signal (SIGHUP, pop3d_signal);
   /* Timeout alarm.  */
   /* Timeout alarm.  */
@@ -422,8 +444,6 @@ pop3d_mainloop (int fd, FILE *infile, FILE *outfile)
 
 
   state = initial_state;
   state = initial_state;
 
 
-  pop3d_log_connection (fd);
-
   /* Prepare the shared secret for APOP.  */
   /* Prepare the shared secret for APOP.  */
   {
   {
     char *local_hostname;
     char *local_hostname;