RESOLVED A comment from Xavier Gillard helped guide me to the solution of my problem.
To recap, I was trying to setup Postfix to accept/deliver mail for virtual (non-UNIX) users, which are stored in a LDAP table. I tried to follow the howto at http://www.postfix.org/VIRTUAL_README.html On later testing, I was concerned that it seemed the server was relaying from foreign to other foreign domains. Xavier pointed out that "as long as you do not send from an address listed in mynetworks, <mail destined for foreign> should not be accepted." I then checked, and realized that: smtpd_recipient_restrictions defaults to 'permit_mynetworks, reject_unauth_destination' and mynetworks_style defaults to 'subnet' The machine I was using to check for relaying to foreign destinations was on the same subnet as the postfix machine. The two machines are connected with DSL with different static IP addresses, and different domains and FQDN, but happen to go through the same DSL ISP router, so are on the same subnet. I tend not to think of them being in a 'trusted' subnet, since they aren't, so it was not obvious to me that any software might default to trusting the subnet. By changing to mynetworks_style = host, the problem is solved. Thanks to those who offered assistance.
