Here's the approach I ended up with.
protected override void OnInit(EventArgs e)
{
base.OnInit(e);
PasswordRecoveryControl.SendingMail += PasswordRecoveryControl_SendingMail;
}
void PasswordRecoveryControl_SendingMail(object sender, MailMessageEventArgs e)
{
// Create network credentials from SMTP configuration settings.
var config = WebConfigurationManager.OpenWebConfiguration(HttpContext.Current.Request.ApplicationPath);
var settings = (MailSettingsSectionGroup)config.GetSectionGroup("system.net/mailSettings");
var credentials = new NetworkCredential(settings.Smtp.Network.UserName, settings.Smtp.Network.Password);
// Send message over secure connection.
var mailClient = new SmtpClient(settings.Smtp.Network.Host, settings.Smtp.Network.Port);
mailClient.EnableSsl = true;
mailClient.UseDefaultCredentials = false;
mailClient.Credentials = credentials;
mailClient.Send(e.Message);
// Prevent control from sending message via default implementation.
e.Cancel = true;
}
Canceling the event still results in success as far as the control is concerned. This means the SuccessText and SuccessUrl properties on the control behave the way you want them to if not quite the way you might expect them to.