>The real "only" way to enqueue mail for local delivery via Postfix is >postdrop(1), which is "setgid" to a group that can write to the >"maildrop" queue. If you set "authorized_submit_users" to a restricted >set of trusted system accounts, then all users would have to use your >shim, a postdrop(1) will refuse service. Your shim can talk SMTP to >a relay that can selectively refuse messages.
Precious info. The fact that ANY script would then need to go through a single shim to access the queue is comforting. I don't know if this could be put to consideration by your dev team (or not, because of technical considerations above my knowledge), but a single door to a barn makes a more secure barn. If external and internal clients could be treated as equally at risk of abuse, security would be much improved and a single set of parameters could then be used to regulate mail flow from any source. Thank you very very much for your time.
