Security issues:

The author recommends that a seperate user 'popa3d' is created. However,
for ease of installation this port uses 'nobody'. Don't use 'nobody' for
anything else, or recompile popa3d to use 'popa3d' and create that user
yourself.

The onetime use of strcmp seems correct. One parameter is 'pw->passwd',
obtained from a call to getpwnam. The other parameter is 'pass', which is
derived from an input-buffer of which popa3d takes care not to overrun.

sprintf is used once. Its parameters are 'MAIL_SPOOL_PATH', which is a
compile-time constant and 'mailbox', which is the username, derived from
the password-file. 
Feedback from author: "buffer is malloc()'ed one line earlier to the correct
size, regardless of where the input comes from. The only required property of
those two strings, is that they're of a sane length not to cause an integer
overflow in the addition".

One more time: POP3 is inherently insecure. Passwords are sent in cleartext, 
everytime a user checks his mailbox.