I just use recipient verification and if the recitient doesn't verify I
deny at connect time.
# This section is to fail even on trusted computers for remote verification
# If the recipient doesn't exist then we don't accept the message
deny message = REJECTED - User not found on Computer Tyme Servers
log_message = REJECTED - User not found on Computer Tyme Servers
domains = +local_domains
!verify = recipient/callout=60s,defer_ok