Sorry for the unclear messaging. It's working now. I posted mostly in case it might help others in the future, I suspect that hasn't actually worked as intended.
The server was a new build, the external link uses DHCP and was configured for that. The external link came up fine, but the firewall rules were incorrect.
NAT was working okay, but the scripts that configure iptables have a default external IP address of 1.1.1.1, here:
/etc/e-smith/templates/etc/rc.d/init.d/masq/00Definitions: OUTERNET=1.1.1.1 # Put in placeholder address, to ensure correct iptables syntax
I presume that it's supposed to be redefined by some other code that somehow detects the external IP, but that wasn't working. I never found out why. Some kind of race condition maybe.
So the firewall was configured to allow external access to email, web services, port forwarding or any other services hosted by the SME server, but only if the destination IP address was 1.1.1.1, which of course it wasn't.
When choosing in the config console to configure the external interface as DHCP, there are two different options to choose from, neither worked. Lying to SME that the external link was static, then changing it back to DHCP resolved the problem.
Sorry for the vague original messages, I hope that's clearer.