Mailman has the notion of "verified" email addresses. When a user is created / registered in Postorius, a Mailman user can be created. It's off by default but it seems like a logical thing to do. This user will be created when the client visits the user profile or preferences pages anyway, because it needs it in Mailman at that point.
However, the address that the user is created with is not verified. It's a good thing because Django, by itself, does not verify email addresses. The social auth providers that we use do validate them, but not Django, and when internal auth is involved then it's only Django.
In that case, how should this address be validated? Should Postorius consider that the login system always validates addresses and set them as verified in Mailman? Should it ask mailman to verify the email addresses when it encounters a user's un-verified address? This does not seem possible in REST at the moment (unless I missed it), and should be protected against multiple checks.