Hi Matt,
LDAP Synchronization only supports the option to drop invalid recipients, with LDAP Sync set up and drop invalid recipients enabled, when a message is sent to the Brightmail Gateway with invalid recipients, the message is accepted, scanned and then silenlty deleted without ever sending any kind of response back to the sending server.
The other option you have, and better option in my opinion is to create a Recipient Validation LDAP source and then enable the ability to reject messages to invalid recipients. With reject messages to invalid recipients enabled, when the sending SMTP server connects, when it tries to send messages to invalid recipients it will be sent 'user does not exist' error. In this case we never need to accept or scan the message and therefore save lots of resources, and the sending SMTP server is aware of the problem.
The one issue with using reject is that it opens your address space up to directory harvest attackers as they'll know when they've sent to a valid sender as they won't receive an error. To combat this you should enable the Directory Harvest Attack functionality.
Kevin