You've gotten some good suggestions so far. I don't think I like the SSI method very much because it is more complicated than it needs to be (perhaps opening more security issues than it solves). Simplicity is your friend when it comes to security.

With that in mind, I like the suggestion to create a place for your users to get on the recipients list. As long as this area is secure, this is an improvement over simply restricting email TO the domains you host (which is the easiest solution, and therefore probably the best one). If you have clients who "must" have email to off-site domains or whatever, they can introduce forwarding rules via procmail. Or they be shown how to modify formmail.pl so that this vulnerability does not affect it, but they get email where they need it to go.