you should avoid that for two reasons:

* automated form submits may lead in blacklisting because
it results in a delivery attempt behind the scenes
http://www.postfix.org/ADDRESS_VERIFICATION_README.html

* if your webserver is able to execute shell commands
the setup is highly questionable

Address verification is always a guess. You're assuming that by address
verification I'm talking about actually connecting to the remote SMTP
server and sending "RCPT TO". I'm not talking about that, I'm talking
about asking Postfix if the syntax of the address is valid and if the
DNS is set up suitably to be able to potentially be able to deliver
the message. I.e, are there valid MX records etc. That is how Exim
does it at least.
I don't agree. Executing the following Perl from a CGI script is
completely safe:

my $valid = eval {
open(my $output, '-|', '/usr/sbin/sendmail', '-bv', $email_address);
close $output;
return $? == 0 ? 1 : 0;
};

beside postfix verify,

http://www.postfix.org/ADDRESS_VERIFICATION_README.html

you may use

http://www.jetmore.org/john/code/swaks/
in a script to build a "table" with valid recipients

i ve tested some stuff for other reasons

https://sys4.de/de/blog/2014/03/02/recipient-verification-tls-mandatory-modus/



Best Regards
MfG Robert Schetterer

i doubt: https://github.com/Exim/exim/wiki/Verification

for a formal check without verification you don't need a MTA
http://search.cpan.org/~rjbs/Email-Valid-1.195/lib/Email/Valid.pm
http://search.cpan.org/~nlnetlabs/Net-DNS-0.80/lib/Net/DNS.pm

BTW - the MX record is not mandatory
if not present the MTA falls back to the A record!
if it is done safe and secure - you know every scripts
present on your webserver are audited and safe and don't
use unsanitized user inputs? doubt!

hence in case of PHP:
disable_functions = "apache_child_terminate, chown, dl, exec, fileinode,
get_current_user, getmypid, getmyuid, getrusage, highlight_file, link,
mail, openlog, passthru, pclose, pcntl_alarm, pcntl_errno, pcntl_exec,
pcntl_fork, pcntl_get_last_error, pcntl_getpriority, pcntl_setpriority,
pcntl_signal_dispatch, pcntl_signal, pcntl_sigprocmask,
pcntl_sigtimedwait, pcntl_sigwaitinfo, pcntl_strerror, pcntl_wait,
pcntl_waitpid, pcntl_wexitstatus, pcntl_wifexited, pcntl_wifsignaled,
pcntl_wifstopped, pcntl_wstopsig, pcntl_wtermsig, pfsockopen, popen,
posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid,
proc_close, proc_get_status, proc_nice, proc_open, proc_terminate,
shell_exec, show_source, socket_accept, socket_bind, symlink, syslog,
system"

That's a link to a bunch of examples of SMTP time ACL based
address verifications in Exim which have explicitly had callouts turned
on. Note, what you've linked to has no connection whatsoever with what
Exim does when you run "sendmail -bv" as that command only runs through
the routers and not the ACLs.
Yes, I realise I can write code to do syntax and DNS checks which might
resemble Postfixes ability to route a message. Then I have to worry about
things like whether or not Postfix can route mail to ☺@☺.example.com and
whether or not Email::Valid supports UTF-8 local parts or punycode blah
blah blah.

IMO, it is both better, and easier, to ask your mail server if it is
able to route a message rather than doing lots of checks to guess what
your mail server might be able to do.
Yes. I know that. Don't forget AAAA records.
I will agree with you that insecure code is insecure. *shrug*

That's not what Sendmail does, as far as I recall. You know, the
program whose name appears in "sendmail -bv".

There hasn't been demand for what you ask in the 17 years that
people have used Postfix. It could be implemented with another
postqueue command option that connects to the verify daemon, perhaps
with a flag that says don't talk to remote servers. This runs an
email address through Postfix's "routers" and agents that know how
to deliver mail. If the mail queue is not congested then this
produces a result in seconds.

Wietse

I wasn't using Exim as an example of the right way to do things, so
there's not much point in using Sendmails behaviour as a counter
example. I was just demonstrating that there is more than one way to
"verify" an address and it doesn't necessarily have to involve
callouts and all of the problems that entails.
That feature sounds like it would be useful to me, but I understand
that lack of demand would make it a low priority feature request.