After routing mail through postfix to an external relay server (in this case gmail's smtp relay), all the mail from a server was routing correctly. Except after a couple of days I noticed a couple of strange bounces. Authentication at the gmail end was by IP address and domain, so any address [email protected] could be used to send email. But these were coming from [email protected] so were being rejected with a helpful message by gmail.
The IP address you've 550-5.7.1 registered in your G Suite SMTP Relay service doesn't match domain of 550-5.7.1 the account this email is being sent from. If you are trying to relay 550-5.7.1 mail from a domain that isn't registered under your G Suite account 550-5.7.1 or has empty envelope-from, you must configure your mail server 550-5.7.1 either to use SMTP AUTH to identify the sending domain or to present 550-5.7.1 one of your domain names in the HELO or EHLO command. For more 550-5.7.1 information, please visit 550 5.7.1 https://support.google.com/a/answer/6140680
Pretty helpful as messages go. Less helpful was the fact that there were several websites on the server and a couple of other apps, and I didn't have access to the admin panels of any of them. The mails, once bounced, were removed from postfix's queue, never to be seen again. Time for some detective work.