Solved (I think).
Thankfully I have an existing (working) server to compare with.
Going thru /etc/postfix/main.cf and /etc/postfix/master.cf there wasn’t much different between them.
Main.cf (new server) had the additional entries for milter - DKIM is enabled on the server - whilst the existing one didn’t.
The one key difference between them in main.cf is
New Server - inet_protocols = all
Old server - inet_protocols = ipv4
So I changed the new server to inet_protocols = ipv4.
Reloaded the config and stopped and started postfix for good measure - nothing amiss in the mail.log, so sent an email from new server to old server - it spat an error out about authentication.
Jun 9 23:11:50 host2 postfix/smtpd: warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory
Jun 9 23:11:50 host2 postfix/smtpd: warning: localhost[127.0.0.1]: SASL LOGIN authentication failed: generic failure
So set the chroot option back from n to y in master.cf (new server) - I has changed it in an attempt to get it out of the chroot.
Reloaded config and stopped & started postfix for good measure - nothing amiss during startup in mail.log.
So opened up a telnet session on port 25 (new server) and the 220 banner came back instantly. Held back the urge to celebrate and opened up Roundcube (new server) and sent an email to an account on the old server - and YES it went instantly.
I suspect Postfix was trying a DNS or other network related query on IPv6 but IPv6 is disabled.
So on with setting DMARC tomorrow and then moving domains\virtual servers from old server. Probably more problems waiting there. LOL