When I modified /etc/hosts.allow i read the xinetd doc: With this option (compiling option --with-libwrap) turned on, xinetd will first look at your /etc/hosts.{allow|deny} files, then if access is granted, it goes through xinetd's internal access control mechanisms. Note that xinetd passes the service name, *not* the server name to libwrap But services in /etc/hosts.allow depend on server name and *not* on service name. This is bad as I can't set up different lines for SPOP and IMAPS.
This is a documentation problem. The server name is used, since that's what's always been used in those files.
The behaviour in xinetd was changed to match the old behaviour, but the documentation wasn't changed... will fix.
Fixed in xinetd-2.1.8.9pre12-3, which eventually will show up in Rawhide.