Thanks to those for giving the info above. It helped me find out what was going on. To add a bit to general knowledge on what I understand about postfix and mail adresses/users:
Postfix uses at certain stages the $myorigin variable to add to addresses that have no @domain part attached. [1]. If you run a postfix server on a ML Server, that will normally work, because the default value for $myorigin is $myhostname and that $myhostname is normally where your network users (and local users) live (at least when you follow the default setup by Apple)
But if you have configured postfix to use an alias when talking to the outside world, e.g. (default pattern by Apple Server.app setup)
Your domain is server.foo.com
Your server is called server.foo.com
But your server uses an alias mail.foo.com ($myhostname) when talking to the outside world. As a result a name like bar will become bar@mail.foo.com inside postfix at certain points.
You server, however can only recognize the name without the @domain part or with the name of the server, so, for user bar, your server server.foo.com recognizes
bar
bar@server.foo.com
but it does not recognize
bar@mail.foo.com
and that leads to the sacl_check() error. (check with "dsmemberutil getuuid -U <user>") as explained by ckillian above
When you empty $local_alias_maps, you in fact tell postfix it should not check if a local user exists at all, as this will be done downstream. That works to prevent the sasl_check() error, but it also stops postfix from filtering a lot of mail (spam) that is directed at non-existing users.
So, the only true solution for the local part (I haven't looked into anything with aliases that translate to an external address yet) seems to be to set $myorigin to the hostname of the server (but beware!, see below)
sudo serveradmin settings mail:postfix:myorigin = server.foo.com
Note: if you set up ML Server and you choose a domain name, this becomes both the name of the machine and the name of the domain. E.g.
Your domain is server.foo.com
Your server is called server.foo.com
I prefer to have those separated, so I have set up my domain as foo.com. That means that after ML setup is complete I need to change the machine name to server.foo.com. That effects the validity of your setup, so you have to run the following command after having done the basic setup:
sudo changeip 192.168.x.x 192.168.x.x foo.com server.foo.com
Where 192.168.x.x should be replaced by the IP address of your server (a local address, assuming your server is behind a NAT router). That leads to:
Your domain is foo.com (also in DNS, you cover all of the foo.com domain in your own DNS)
Your server is called server.foo.com
That means that in using $mydomain for $myorigin does not work anymore, because the server does not recognize bar@foo.com, it only recognizes bar and bar@server.foo.com. So, you set the $myorigin to server.foo.com.
BUT THERE IS A NASTY CATCH: if bar is rewritten to bar@server.foo.com, postfix does not know yet that server.foo.com is a local destination. So, it happily sends the mail for bar@server.foo.com to your outside relay (if you're lucky to have one) or to your own mail server creating and endless loop (if your luck runs out). The solution is to add $myorigin to $mydestinations.
serveradmin won't let you change $mydestinations. Even with a simple argument it crashes:
$ sudo serveradmin settings mail:postfix:mydestination = 'localhost'
2013-04-06 12:50:47.913 serveradmin[22575:707] -[__NSCFString objectEnumerator]: unrecognized selector sent to instance 0x7fb92a41e3b0
2013-04-06 12:50:47.914 serveradmin[22575:707] Exception in doCommand for module servermgr_mail on thread 0x7fb92a40c700: -[__NSCFString objectEnumerator]: unrecognized selector sent to instance 0x7fb92a41e3b0
(seems a bug) so you need to edit /Library/Server/Mail/Config/postfix/main.cf by hand and make sure $myorigin is added to $mydestinations.
[1] If you use canonical names, e.g. user jonsmith inside becomes Jon.Smith@foo.com on the outside you also have aliases that do the reverse Jon.Smith@foo.com becomes jonsmith. But that latter name may get $myorigin added by postfix. If your aliases al are fqdn in the form of jonsmith@server.foo.com this will not happen, but that is a bad solution (you won't catch all uses and it is hard to keep consistent).
[2] http://www.postfix.org/LOCAL_RECIPIENT_README.html
PS. I haven't tested a solution where you make $myorigin empty. It can work, but you need to have a canonical for all users, another consistency nightmare. The easiest solution would be if my Open Directory domain server.foo.com would accept mail.foo.com as an alias for password checking, uuid.