Ah, the difference between this broken config and the working one on my other mailserver was this missing line:
> match for any from local action "outbound" I set up this new mailserver for a different server to send mail through, and didn't realise aliases were considered in lookups as _the mailserver itself_ sending the message. Is that correct? Anyway, working now.
