How can one prevent Postorius from sending a password reset email to non-existent email addresses?

Out of the box, Postorius attempts to send a password reset to literally any email address one provides to the password reset form. I'd like to reconfigure it to send an email only when a user actually exists on the mailing list. The response to the form can stay the same (as there is no harm in saying an email was sent when the email address doesn't even exist).

This form is being abused by spammers and the haphazard reset email is crippling the server's mail reputation.

Another thought: is it possible to add a low-tech CAPTCHA there if there is no easy way to change the email behavior?