vrfydmn - reject an email message if the RFC5322 From:-address does not comply.
In email everyone is free to specify any RFC5322 From:-header address.
Miscreants — virus authors, spammers and phishers — are aware of
this fact. They forge the RFC5322 From:-header address on purpose to
impersonate someone that suits their goal.
Average users are not aware of this fact. They tend to believe a message really
was sent by the person indicated in the RFC5322 From:-header address.
vrfydmn verifies RFC5322 From:-headers in mail messages. It compares a messages
From:-header field to a list of permitted sender domains assigned to the
sender. If the address does not meet the expectations vrfydmn may either
rectify the RFC5322 From:-header or reject the message.
This program was created to control and reject phishing abuse on SMTP submission
ports. It serves also to prevent mail loss in cases, when the given address
was under DMARC policy, i.e. Yahoo or AOL.
-u, --user user
Run vrfydmn as user user.
-g, --group group
Run vrfydmn as group user.
-s, --socket socket
Specifes the socket vrfydmn should listen on
for incoming verification requests. The socket consists of three parts -
protocol, port and address.
Use inet as prefix to indicate an IPv4
socket e.g. inet:firstname.lastname@example.org or inet6 as prefix to indicate
an IPv6 socket e.g. inet6:30072@[::1].
Use numbers to indicate the port vrfydmn
should establish its socket on e.g. 30072.
Specify an IP address. The address type must
correspond to the protocol choosen. IPv6 addresses must be enclosed in
square brackets e.g. [address].
-p, --pid pidfile
Specifies the name of a file in which vrfydmn
should note its process id.
-f, --file file
This file typically is a postfix(8) map, i.e.
relay_domains file. It should be a map with 2 columns. First column is the
domain (the key) and the second column represents some value. The value is
totally ignored in vrfydmn! If a flat file was given, the file can be
refreshed during runtime by sending the SIGHUP signal and the result can be
dumped to syslog (or standard out, if -d, --debug was given) with the SIGUSR1
-l, --ldap file
Specifies the path to a configuration file.
The file holds options for LDAP queries. If specified vrfydmn will establish a
persistent LDAP connection. See vrfydmn_ldap(5) for details.
-m, --memcached socket
Specifies a TCP socket to a memcache server.
If enabled LDAP query results will be cached in the memcache. The socket must
be specified as address and port separated by a colon e.g.
If specified vrfydmn will not reject messages
with RFC5322 From:-headers that fail verification. Instead it will attempt to
fix them. It will copy the erroneous header to a Reply-To:-header (only if
none already exists). Then it will replace the existing From:-header with the
envelope-sender address (MAIL From). This option is recommended for web
This option is mainly for debugging and
development purposes. If specified vrfydmn will not detach. It will run in
foreground and output its activities to stdout.
There are no known bugs so far. Please submit bugs to
Christian Roessner <email@example.com> wrote the program.
Patrick Ben Koetter <firstname.lastname@example.org> wrote this man page.
vrfydmn’s home is at https://github.com/croessner/vrfydmn.
Copyright (C) 2014-2015 Christian Roessner. Free use of this software is granted
under the terms of the GNU General Public License (GPL).