[pfg]

Your solution is still vulnerable in cases where someone's able to control postmasterfoobar@example.com. Admittedly, that's a bit far-fetched, but the correct solution would be to have an enumeration of allowed emails and only accept those (or, more generally: whitelist things).

It's amazing that their web component is even allowed to dictate what verification addresses are permittable. That should be the concern of a completely separate component of their infrastructure. Says a lot of about their security architecture, I guess.

[G3E9]

Sorry, I made a bad implication that the backend would check to see if $MASTER_EMAIL was one of the three, as you called them, white-listed values ("postmaster", "hostmaster" or "webmaster") and if not then to stop processing the form.