Do You Permit SMTP Verify?

John Murdoch asks: "If you're administering a mail server, you are probably familiar with the SMTP VRFY command. I'm very curious to hear from Slashdot readers who are: 1) using mail servers that do not support VRFY (it technically is not mandatory under RFC 821); or 2) use mail servers that support VRFY, but have disabled it. I'd also love to hear from anyone that knows of mail servers that do ugly things if VRFY commands are sent (Microsoft Exchange 5.0, for example, hangs the Internet Mail Service if you send a VRFY for a valid address)." Do folks think that enabling VRFY is a good idea or a potential invasion of their privacy? (Read on..)

"[With the] SMTP VRFY command--you can verify the address of a user on your mail server. For example, if you sent 'VRFY CmdrTaco' to the SMTP server at SlashDot.org you'd get back "250 OK"; if you sent "VRFY CmdrChalupa" you'd probably get back "550 User is a little dog in a fast food commercial for somebody else" or something similar.

Or you would--IF your mail server will respond to VRFY messages.

Why do I want to know? I'm developing an e-commerce registration application for a major vendor to the semiconductor industry. The client produces some extremely dangerous materials, and wants to establish a rigorous authentication process for some systems. (You'd be surprised at how deadly some of the materials your chips are made of really are....) One small part of this is ensuring that the potential customer has a valid e-mail address.

If practically everybody permits (and supports) SMTP VRFY then we'll quietly check the user's address during registration. If a number of servers don't, then we'll resort to other, clunkier methods. (If you're wondering--there is a lot more authentication going on before we let you get anywhere near ordering nasty stuff. This is for a preliminary step in the process)."