I'm doing it the other way around, which is slightly less work because you don't have to create new email addresses explicitly: Catch-all by default, with a recipient blocklist as part of smtpd_relay_restrictions that I update whenever some service gets breached.