>identd, Hummm, this seem the most plausible reason thus far.  Do you know   
>of an option to stop this?  Our MIS would rather die that to open a hole,   
>for packet, at a specific port.

Well, since the source code is available, you could always dike it out
if no other option is available.  Or you could use SOCKS on the identd
port, if your MIS is truely that paranoid.

>Also, this doesn't explain why if I do a `telnet beta 25` on beta, I   
>still get an immediate connection, beta has ident remarked out.  Does   
>sendmail ignore local connections?

Actually, it does.  "Connection refused" returns immedately from a unused
but reachable socket.  Blocked ports take longer to timeout since several
retries are attempted at the lower levels of TCP (IP?).

Max