Predictably, the cause of this odd behavior was in fact external to
Postfix.
The server has 3 DNS servers in resolv.conf: itself, another one sitting
across the room, and a third far away which was added in the same
disaster recovery event that precipitated the upgrade from 2.4.5 to
2.9.3 a few months ago. The first 2 have my "blackhole" nameserver list,
the third does not and will not. I had not considered the fact that
libresolv (or perhaps Postfix itself?) sees a "SERVFAIL" reply as
sufficiently dubious that it does not accept a single nameserver's
response as definitive and instead tries them all. This is a rational
strategy, but not something I had considered until an extended
discussion of this as a "tempfail" condition. Removing the external
nameserver solved the problem.
My thanks go to all who spoke up and esp. Dr. Venema for writing an MTA
that always ends up being the wrong place to be looking for a source of
trouble.
