Hmm... looking at
aliases(5), it looks like I can do :include: /path/to/file. So it looks like I'll be pulling usernames out of the passwd file, sending them to another file that is ":include:"ed, and run postalias / postfix reload every so often via cron.
Problem solved. Unless anyone else can come up with anything better.