milter-ahead

It will never cease to amaze me how people keep using sendmail rather than exim, and then have to jump through ugly hoops to get it to do stuff which exim has on-board.

acl_check_rcpt:
  require verify=recipient/callout=defer_ok

Does quite exactly the same thing, and is builtin to exim(v4). Even better: it actually caches results, so that not only you don't overload your primary system, you might also block some extra mails even when the primary is down and your cache hasn't expired yet. Oh, and one can easily do the same thing for senders, so that you don't get mail with nonexisting email addresses in the envelope from. Catches quite some spam too, that.

Still, I don't run backup MXen, simply because distributing SpamAssassin bayes databases and rulesets is rather complicated... and if my mailserver goes down for a while, I'm sure any sending host will attempt to deliver their mail once I fix the problem. As has happened a few times already by now.