The SMTP VRFY command is used to verify an email address. The SMTP EXPN command is used to expand an email address. They are used like this:

VRFY gw@wash.dc.gov
250 2.1.5 George Washington <gw@wash.dc.gov>
VRFY nosuchuser@wash.dc.gov
550 5.1.1 nosuchuser@wash.dc.gov... User unknown
EXPN all@wash.dc.gov
250-2.1.5 George Washington <gw@wash.dc.gov>
250 2.1.5 Andrew Jackson <aj@wash.dc.gov>

If sendmail can deliver to the address specified, it will respond with a 250, a DSN 2.1.1, the full name of the recipient (if known), and the normalized address. If the address is bad, sendmail will reply with a 550, a DSN 5.1.1, and the reason for the rejection of the request. If the request is to EXPN, and if the address expands to another or more addresses, as with an alias or a mailing list, sendmail will print each expanded-to address, one per line.

If your site has set goaway or novrfy for the PrivacyOptions option (PrivacyOptions), sendmail will reject all SMTP VRFY commands with the following message:

252 2.5.2 Cannot VRFY user; try RCPT to attempt delivery (or try finger)

If your site has set goaway or noexpn for the PrivacyOptions option (PrivacyOptions), sendmail will reject all SMTP EXPN commands with the following message:

502 5.7.0 Sorry, we do not allow this operation

The check_vrfy rule set can serve two useful functions. It can be used to print a different rejection message, and it can be used to allow verification of some but not all addresses. The check_expn rule set can replace check_vrfy in the following two examples, when SMTP EXPN is of concern.

Use check_vrfy to change rejection message

If you prefer to reject SMTP VRFY commands with a less helpful message than sendmail uses, you can set up something such as the following in your mc configuration file:

LOCAL_RULESETS
Scheck_vrfy
R $*           $# error $@ 2.5.2 $: "252 VRFY forbidden"

For this rule set to be called, you need to omit goaway or novrfy from your PrivacyOptions option's setting (PrivacyOptions). Thereafter, whenever a SMTP VRFY command is received, sendmail will call the check_vrfy rule set. In this version of that rule set, we simply match all addresses (the LHS $*). Every address is rejected by the RHS using the $#error delivery agent (error) with a message such as this:

252 2.5.2 VRFY forbidden

Use check_vrfy to select addresses to verify

The goaway and novrfy PrivacyOptions option settings (PrivacyOptions) reject all SMTP VRFY commands. But at your site, you might instead wish to allow selected addresses to be verified, and others to be rejected. One way to do that is by adding lines such as the following to your mc configuration file:

LOCAL_RULESETS
Scheck_vrfy
R $*                   $: $>canonify $1       focus on the host
R $* <@ $=w . > $*     $: $1                  isolate the user
R postmaster           $# error $@ 2.5.1 $: "251 <postmaster@$j>"
R abuse                $# error $@ 2.5.1 $: "251 <abuse@$j>"
R $*                   $# error $@ 2.5.2 $: "252 VRFY forbidden"

For this rule set to be called, you need to omit goaway or novrfy from your PrivacyOptions option's setting (PrivacyOptions). Thereafter, whenever a SMTP VRFY command is received, sendmail will call the check_vrfy rule set.

The address given to the SMTP VRFY command is provided to the check_vrfy rule set in its workspace. The first rule passes that address to the canonify rule set 3 (Section 19.3), which focuses on the host part by surrounding that part in angle braces. The second rule finds the user portion of that address and places just that user portion into the workspace. This is done only for addresses recognized as local.

The next two rules look for specific users that you wish to verify. Here, you wish to let others know that you will accept mail to postmaster and to abuse. Attempts to verify any other users will result in a rejection of the request.