Postfix/Dovecot SSL auth port 587

[CopalFreak]

I am using Postfix, Dovecot, Mysql(virtual users), ClamAV(without Amavis), and Spamassassin.
(running saslauthd(rimap), clamsmtpd, and spamd)

I am attempting to allow authed users (only) to relay mail to the outside, and I want a wildcard SSL cert to encrypt the authing process.

I read that I should use Outgoing port 587 and SSL/TLS to do this.

I can receive mail using incoming port 995 and SSL/TLS setting.
I can NOT send (relay) using port 25 (can send to same-domain, but not outside the machine).
I can send (relay) mail using outgoing port 465 OR 587 with STARTTLS setting.
I can NOT send (relay) using outgoing port 587 with SSL/TSL setting.

Code:

# telnet mail.mydomain.com 587
Trying xxx.xxx.xxx.xx...
Connected to mail.mydomain.com.
Escape character is '^]'.
220 mail.mydomain.com ESMTP mail.mydomain.com (Debian/GNU)
>>ehlo CopalFreak
250-mail.mydomain.com
250-PIPELINING
250-SIZE 104857600
250-ETRN
250-STARTTLS
250-ENHANDEDSTATUSCODES
250-8BITMIME
250 DSN
>>QUIT
221 2.0.0 Bye
Connection closed by foreign host.

I was trying to figure out how to use telnet to debug it a bit more but got stuck here:

Code:

>>telnet mail.mydomain.com 587
Trying xx.xx.xx.xx...
Connected to mail.mydomain.com.
Escape character is '^]'.
220 mail.mydomain.com ESMTP mail.mydomain.com (Debian/GNU)

>>ehlo MyEmail@mydomain.com
250-mail.mydomain.com
250-PIPELINING
250-SIZE 104857600
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

>>AUTH LOGIN
438 4.7.0 Encryption required for requested authentication mechanism

>>AUTH LOGIN PLAIN
438 4.7.0 Encryption required for requested authentication mechanism

>>STARTTLS
220 2.0.0 Ready to start TLS

>>EHLO MyEmail@mydomain.com
Connection closed by foreign host.

This is probably a very big indicator of whats happening, but I have no clue how to diagnose it.

Onward..

Code:

# lsof -i -n | grep "submission"
master     8705    root   15u  IPv4 229999      0t0  TCP *:submission (LISTEN)

Code:

#nmap localhost 
587/tcp   open  submission

For brevity sake, I have limited the master.cf and main.cf contents below to the stuff that I think might affect it. If there is something that I have missed that might be important, just let me know.

Code:

# -----------------------------------------------------------------------------------------
# relevant portions of /etc/postfix/master.cf
# -----------------------------------------------------------------------------------------
smtp       inet n - n - - smtpd
    -o content_filter=scan:127.0.0.1:10025

submission inet n - n - - smtpd
  # -o smtpd_tls_security_level=encrypt
    -o smtpd_tls_security_level=may
    -o smtpd_sasl_auth_enable-yes
    -o smtpd_sasl_type=dovecot
    -o smtpd_sasl_path=/var/spool/postfix/private/auth
    -o smtpd_sasl_security_options-noanonymous
    -o smtpd_sasl_local_domain-$myhostname

smtps      inet n - n - - smtpd

scan       unix - - n -  16 smtp
    -o smtp_send_xforward_command=yes
    -o smtp_enforce_tls=no

smtp       unix - - n - - smtp

spamassassin unix - n n - - pipe
     user=spamd argv=/usr./bin/spamc -f -e
     /usr/sbin/sendmail -oi -f${sender} ${recipient}

# for injecting mail back into postfix from the filter
127.0.0.1:10026 inet n - n - 16 smtpd
        -o content_filter=spamassassin
        -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
        -o smtpd_helo_restrictions=
        -o smtpd_client_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o mynetworks_style=host
        -o smtpd_authorized_xforward_hosts=127.0.0.0/8

dovecot   unix  -       n       n       -       -       pipe
  flags=DRhu user=dovecot:dovecot argv=/usr/libexec/dovecot/deliver -d ${recipient}
# -----------------------------------------------------------------------------------------
# End master.cf
# -----------------------------------------------------------------------------------------

Code:

# -----------------------------------------------------------------------------------------
# relevant portions of /etc/postfix/main.cf
# -----------------------------------------------------------------------------------------

relay_domains = $mynetworks

smtpd_client_restictions =

smtp_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_exceptions_networks = $mynetworks
broken_sasl_auth_clients = yes
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = $virtual_login_maps
smtpd_sasl_path = /var/spool/postfix/private/auth
smtpd_helo_required = yes

smtpd_tls_ask_ccert = no
smtpd_tls_req_ccert = no
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_received_header = no
smtpd_tls_loglevel = 1

smtpd_sasl_auth_enable - yes
smtpd_use_tls = yes

smtpd_tls_cert_file = /path/to/MyCert.pem
smtpd_tls_key_file = /path/to/MyKey.pem
smtpd_tls_CAfile = /path/to/MyCA-Cert.pem

smtpd_error_sleep_time = 1s
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20

# -----------------------------------------------------------------------------------------
# End main.cf
# -----------------------------------------------------------------------------------------

One thing that might be affecting it is in the mail log, I see :

Code:

postfix/anvil[17020]: statistics: max connection rate 2/60s for (submission:xx.xx.xx.xx) at Aug 27 02:28:29

In the main.cf I have this..but not sure if that's actually affecting it or not.

Code:

smtpd_error_sleep_time = 1s
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20

Other than that, I don't see any errors or anything in the logs.
(which actually bothers me a bit)

Any help would be appreciated.

Thanks!
-=*CopalFreak*=-