I found that using the "blacklist_to" token works as a solution for a transition period away from a catchall account.

I have added those known aliases to the account, kept the catchall turn on, and added (over a period of time) spam addresses (those created by spammers, never created by me) to the blacklist_to.

For example, I've added a list of spam addresses to /opt/zimbra/conf/salocal.cf.in:
blacklist_to taj@example.com
blacklist_to pren@example.com
blacklist_to service@example.com
Instructions are in the wiki.

Note: Spammers conjured up those fake addresses (where example.com is replaced with my domain). The catchall account received spam with those addresses in the TO: or CC: field. I've found thousands of spams sent to the same (so far) 52 addresses.

So, the transition solution for getting away from a catchall account might go this way:
1. Migrate mail server to Zimbra, including the catchall account. (This all came about because I had a catchall on the previous mail server.)
2. Add all known aliases to the catchall, while leaving the catchall left on.
3. Over a period of time (I'm going for a few months), continue to add other good aliases to the catchall and add annoying spam emails to the blacklist_to token.
4. Finally, turn off the catchall and remove the blacklist_to in the /opt/zimbra/conf/salocal.cf.in.

This solution maybe helpful for those with smaller sites. Hope this is helpful for someone.