Hi, Thanks everyone for your help and input. I think perhaps my attempt to be brief and focused in posing my question has led to some confusion about my needs and configuration. I do not have the luxury of being able to segregate the server (postfix and dovecot) from client (GUI, etc) on different machines. I am, as Charles' surmised, using this to aggregate disparate mail streams into a single location, and using dovecot to serve it. Since I must run client-ish applications on this machine, the application firewall is desirable. The anticipated load on this system from the server side is quite light, so the throughput overhead incurred by the application firewall is negligible. The problem appears to be that--for some reason--dovecot identifies itself incorrectly to the application firewall, resulting in the garbage shown in the logs and failure to permit this connection (the firewall is configured to explicitly permit connections for dovecot). I note that other daemons (e.g. postfix, sshd, etc) do not exhibit this defect; the firewall works as expected for every other service I've tried except dovecot. The logs for the firewall appear as:

Aug 26 20:43:45 hostname Firewall[55]: Deny ^L connecting from XX.XX.XX.XX:37310 uid = 0 proto=6 Aug 26 20:43:53 hostname Firewall[55]: Deny ^H?^U???^Z connecting from XX.XX.XX.XX:37310 uid = 0 proto=6

Both of these are dovecot hits--but the name is different each time. Also the ?'s aren't really "?" marks; they're trans-ascii characters with high bits set that my mailer doesn't like very much. It really looks like a misdirected pointer or something somewhere, but I'm not familiar enough with the codebase to know where to start looking, or if in fact it is something else that is misconfigured. Any thoughts on how to resolve this?

Patrick