My network security is handled elsewhere. I too believe in layered security, but my desire to use the right tool for the job is much stronger. My mail server is busy serving mail; my network security is handled by equipment built and optimized for that job.
It's not like it costs anything extra.... :) Well...that's the attitude that got us operating systems that need a gigabyte of memory just to boot, and processors clocked at 3GHz that give me the same useful performance as my 4MHz Z80 twenty years ago. ;) Nothing is free. I can see both sides of this. I have an old FreeBSD machine without filtering in the kernel where I've been forced to create null routes for hosts that insisted on hammering the machine. My first firewall was Mischler's IPRoute for DOS on a 386-16 with a floppy drive. I know that any machine nowadays is plenty powerful enough to do basic filtering with no adverse affects. We have NICs that can handle Gigabit speeds handling data across a 1.5Megabit T1.
My suggestion is to just use the simplest solution for your situation.
If you don't have packet filtering in the cable, use a null route. If
you have it, use it. If you're completely adverse to doing anything
other than mail on the mail server, give Apple a couple days to supply
the patches and run with that. Mike said the patches were against 1.1,
so it's not like anyone would absolutely need to use the beta 1.2 to get
these features. Even better if he can break the whole of the changes
into smaller patches.
Rick