About this time, a google result sent me to read README.Debian. (A bit embarrassing that I hadn't already, but there ya go.) The actual file on Lenny was /usr/share/doc/mysql-server-5.0/README.Debian.gz and it gave me the puzzle piece I needed:
If your connection is aborted immediately see if "mysqld: all" or similar is in /etc/hosts.allow and read hosts_access(5).
Sigh... I added mysqld: 127.0.0.1 to hosts.allow and it all came good. The mail.log started complaining about the SQL syntax, which was really good news at the time, that was something I could fix!
Dipps, thank you for your post.
As far as I'm aware of, it makes sense to have a rule in /etc/hosts.allow when there is a rule in /etc/hosts.deny which blocks everything (ie: "all: all") or part of it ("mysql: all"). For the beginner, the explanation: first rule denies everything, in which case we need a rule in /etc/hosts.allow to allow mysql, the second blocks mysql from the public IP, in which case wee need a rule in /etc/hosts.allow to override this for the specific part we need mysql access (local - 127.0.0.1, or public_ip).
I find this link useful for those who need more informations about how hosts.deny/hosts.allow works:
In short, this is what we need to read from the link above:
The access control software consults two files. The search stops at the first match:
* Access will be granted when a (daemon,client) pair matches an entry in the /etc/hosts.allow file.
* Otherwise, access will be denied when a (daemon,client) pair matches an entry in the /etc/hosts.deny file.
* Otherwise, access will be granted.