Recently we've had a spate of "spear-phishing" attacks that many of our users have fallen for, and as a result our automated scripts are running at full steam locking accounts that have been compromised and are sending out spam.
This morning I spent 2 hours dealing with one in particular that seemed to still be sending mail even after the account had been locked and then authentication entirely (and deliberately) broken altogether. Turns out the problem was a huge backlog of deferred messages that Postfix was diligently trying to re-send. As a result I will be updating our script to purge the queues of accounts that it locks to hopefully cut down on the amount of spam that gets sent out before they're detected.
What I'd like to do now is to configure Postfix to automatically defer messages based on certain criteria, such as the number of intended recipients. If it's a legit message it will go out after a delay, but if the account is seen to be sending spam we've got a better chance of catching and deleting it before it gets sent.
Is there a way that I can configure Postfix to defer any message that arrives and exceeds a certain threshold of intended recipients (or other criteria)?
This is not possible with vanilla Postfix. It is designed to send mail. Not to do analyze outgoing mails before sending.
If you need something like that, then you have to introduce external policy filters. One of it is policyd (http://wiki.policyd.org/features) which provides exactly what you want: Quotas, Accounting and ACLs.