Rather than allowing ident would it be possible to do a REJECT (via iptables -t filter -A OUTPUT -j REJECT) (I'm not sure if this can be a policy or not) that way the ident will fail immediately verses timing out? That is if you don't want the ident to happen. Seeing as how a LOT of servers don't even support ident any more this might just as well be an option.
I have written some rules and posted them to the mail list (see https://lists.netfilter.org/pipermail/netfilter/2005-May/060150.html) on how to REJECT Ident (Auth) queries only for systems that you have recently sent SMTP traffic to. It would be fairly easy to extend it to work for Pop3 as well. Take a look if you are interested.
Grant. . . .
