Postfix TLS unable to send (but can receive) mail

Using Roundcube (1.3.10) with Postfix (3.4.3) and Dovecot (2.2.36) on CentOS 7 VPS.
I can login and receive emails, but I cannot send them. Trying to send mail results in it hanging: "Waiting for webmail.mydomain.com..." in the bottom browser status bar, while Roundcube displays "Sending message..." for 2-3 minutes.

What could be causing this behavior? I had the server working until I switched to "secure" ports/services/config. Obviously STARTTLS is not working, but as to why or how to fix it I have no clue.

/var/log/maillog displays the following.

Oct  6 20:13:10 hwsrv-579344 postfix/submission/smtpd[23868]: initializing the server-side TLS engine
Oct  6 20:13:10 hwsrv-579344 postfix/submission/smtpd[23868]: connect from localhost[127.0.0.1]
Oct  6 20:13:10 hwsrv-579344 opendmarc[1060]: ignoring connection from localhost
Oct  6 20:13:10 hwsrv-579344 postfix/submission/smtpd[23868]: setting up TLS connection from localhost[127.0.0.1]
Oct  6 20:13:10 hwsrv-579344 postfix/submission/smtpd[23868]: localhost[127.0.0.1]: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH"
Oct  6 20:13:10 hwsrv-579344 postfix/submission/smtpd[23868]: SSL_accept:before/accept initialization
Oct  6 20:13:10 hwsrv-579344 postfix/submission/smtpd[23868]: read from 5557740F7890 [5557740FEE90] (11 bytes => 6 (0x6))
Oct  6 20:13:10 hwsrv-579344 postfix/submission/smtpd[23868]: 0000 52 53 45 54 0d 0a                                RSET..
Oct  6 20:13:10 hwsrv-579344 postfix/submission/smtpd[23868]: read from 5557740F7890 [5557740FEE96] (5 bytes => -1 (0xFFFFFFFFFFFFFFFF))
Oct  6 20:14:10 hwsrv-579344 postfix/submission/smtpd[23868]: read from 5557740F7890 [5557740FEE96] (5 bytes => 5 (0x5))
Oct  6 20:14:10 hwsrv-579344 postfix/submission/smtpd[23868]: 0000 51 55 49 54 0d                                   QUIT.
Oct  6 20:14:10 hwsrv-579344 postfix/submission/smtpd[23868]: SSL_accept:error in SSLv2/v3 read client hello A
Oct  6 20:14:10 hwsrv-579344 postfix/submission/smtpd[23868]: SSL_accept error from localhost[127.0.0.1]: -1
Oct  6 20:14:10 hwsrv-579344 postfix/submission/smtpd[23868]: warning: TLS library problem: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:640:
Oct  6 20:14:10 hwsrv-579344 postfix/submission/smtpd[23868]: lost connection after STARTTLS from localhost[127.0.0.1]
Oct  6 20:14:10 hwsrv-579344 postfix/submission/smtpd[23868]: disconnect from localhost[127.0.0.1] ehlo=1 starttls=0/1 commands=1/2
Oct  6 20:15:34 hwsrv-579344 postfix/smtpd[24014]: initializing the server-side TLS engine
Oct  6 20:15:34 hwsrv-579344 postfix/smtpd[24014]: connect from unknown[4.5.6.7]
Oct  6 20:15:35 hwsrv-579344 postfix/smtpd[24014]: lost connection after AUTH from unknown[4.5.6.7]
Oct  6 20:15:35 hwsrv-579344 postfix/smtpd[24014]: disconnect from unknown[4.5.6.7] ehlo=1 auth=0/1 commands=1/2

[...]/roundcubemail-1.3.10/logs/errors

[06-Oct-2019 16:36:00 -0400]: <a3dq5vv5> SMTP Error: Authentication failure: STARTTLS failed (Code: ) in [...]/roundcubemail-1.3.10/program/lib/Roundcube/rcube.php on line 1667 (POST /?_task=mail&_unlock=loading1570394100604&_lang=en&_framed=1&_action=send)

Below are my configuration settings for Postfix, Dovecot and Roundcube:

postconf -n

alias_database                      = $alias_maps
alias_maps                          = hash:/etc/postfix/aliases
biff                                = no
broken_sasl_auth_clients            = yes
command_directory                   = /usr/sbin
compatibility_level                 = 2
daemon_directory                    = /usr/libexec/postfix
data_directory                      = /var/lib/postfix
debug_peer_level                    = 2
debugger_command                    = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin 
                                      ddd $daemon_directory/$process_name $process_id & sleep 5
html_directory                      = no
inet_interfaces                     = all
inet_protocols                      = ipv4
mail_owner                          = postfix
mailq_path                          = /usr/bin/mailq.postfix
manpage_directory                   = /usr/share/man
meta_directory                      = /etc/postfix
milter_default_action               = accept
milter_protocol                     = 2
mydestination                       = $myhostname, localhost.$mydomain, localhost
newaliases_path                     = /usr/bin/newaliases.postfix
non_smtpd_milters                   = unix:/var/run/opendkim/opendkim.socket, 
                                      unix:/var/run/opendmarc/opendmarc.socket, 
                                      unix:/var/run/spamass-milter/spamass-milter.socket
queue_directory                     = /var/spool/postfix
readme_directory                    = /usr/share/doc/postfix-2.6.6/README_FILES
relay_domains                       = *
sample_directory                    = /usr/share/doc/postfix-2.6.6/samples
sendmail_path                       = /usr/sbin/sendmail.postfix
setgid_group                        = postdrop
shlib_directory                     = no
smtp_tls_loglevel                   = 1
smtp_tls_security_level             = may
smtp_use_tls                        = yes

smtpd_milters                       = unix:/var/run/opendkim/opendkim.socket, 
                                      unix:/var/run/opendmarc/opendmarc.socket,
                                      unix:/var/run/spamass-milter/spamass-milter.socket
smtpd_recipient_restrictions        = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_relay_restrictions            = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_auth_enable              = yes
smtpd_sasl_local_domain             = $mydomain
smtpd_sasl_path                     = /var/run/dovecot/auth-client
smtpd_sasl_security_options         = noanonymous
smtpd_sasl_tls_security_options     = $smtpd_sasl_security_options
smtpd_sasl_type                     = dovecot
smtpd_tls_auth_only                 = yes
smtpd_tls_cert_file                 = /etc/ssl/private/vmail.crt
smtpd_tls_key_file                  = /etc/ssl/private/vmail.key
smtpd_tls_loglevel                  = 3
smtpd_tls_received_header           = yes
smtpd_tls_security_level            = may
smtpd_tls_session_cache_database    = btree:${data_directory}/smtpd_scache
smtpd_tls_session_cache_timeout     = 3600s
smtpd_use_tls                       = yes

tls_random_source                   = dev:/dev/urandom
unknown_local_recipient_reject_code = 550

virtual_alias_maps                  = proxy:mysql:/etc/postfix/sql/virtual_alias_maps.cf
virtual_gid_maps                    = static:2000
virtual_mailbox_base                = /var/www/mail/vmail
virtual_mailbox_domains             = proxy:mysql:/etc/postfix/sql/virtual_domains_maps.cf
virtual_mailbox_maps                = proxy:mysql:/etc/postfix/sql/virtual_mailbox_maps.cf
virtual_minimum_uid                 = 2000
virtual_transport                   = lmtp:unix:private/dovecot-lmtp
virtual_uid_maps                    = static:2000

/etc/postfix/master.cf

smtp      inet  n       -       n       -       -       smtpd -o content_filter=spamassassin
spamassassin unix -     n       n       -       -       pipe user=spamassassin argv=/usr/bin/spamc -f -e  /usr/sbin/sendmail -oi -f ${sender} ${recipient}
submission inet n       -       n       -       -       smtpd 
  -o smtpd_tls_wrappermode=no
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_sasl_local_domain=$myhostname
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_sender_restrictions=reject_sender_login_mismatch
  -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject
  -o smtpd_sasl_security_options=noanonymous
#  -o milter_macro_daemon_name=ORIGINATING
#smtps     inet  n       -       n       -       -       smtpd
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING

dovecot.conf

auth_mechanisms        = plain login
disable_plaintext_auth = yes
default_login_user     = vmail
first_valid_uid        = 2000
first_valid_gid        = 2000
listen                 = *
mail_access_groups     = vmail
mail_location          = maildir:/var/www/mail/vmail/%d/%n
protocols              = imap lmtp pop3
verbose_ssl            = yes

namespace inbox {
    type = private
    separator = /
    prefix =
    inbox = yes
}

namespace inbox {
    mailbox Drafts {
        auto = subscribe
        special_use = \Drafts
    }

    mailbox Junk {
        auto = subscribe
        special_use = \Junk
    }

    mailbox Trash {
        auto = subscribe
        special_use = \Trash
    }

    mailbox Sent {
        auto = subscribe
        special_use = \Sent
    }
}

passdb {
    driver = sql
    args = /etc/dovecot/dovecot-sql.conf
}

userdb {
    driver = static
    args = /etc/dovecot/dovecot-sql.conf
}

service lmtp {
    unix_listener /var/spool/postfix/private/dovecot-lmtp {
        group = postfix
        mode = 0600
        user = postfix
    }
}

service auth {
    unix_listener auth-client {
        group = postfix
        mode = 0660
        user = postfix
    }
    user = root
}

service imap-login {
    inet_listener imaps {
        port = 993
    }

    process_min_avail = 1
    user = vmail
}

service pop3-login {
    inet_listener pop3s {
        port = 995
    }

    process_min_avail = 1
    user = vmail
}

ssl = required
ssl_cert = </etc/ssl/private/vmail.crt
ssl_key = </etc/ssl/private/vmail.key

[...]/roundcubemail-1.3.10/config/config.inc.php

// SQL DATABASE
$config['db_dsnw'] = 'mysql://roundcube:myassword@localhost/roundcubemail_db';

// IMAP
$config['default_host'] = 'imaps://mydomain.com/';
$config['default_port'] = 993;

//SMTP
$config['smtp_server'] = 'tls://localhost/';
$config['smtp_port'] = 587;
$config['smtp_user'] = '%u';
$config['smtp_pass'] = '%p';
$config['support_url'] = '[email protected]';
$config['smtp_auth_type'] = 'PLAIN';
$config['smtp_auth_cid'] = null;
$config['smtp_auth_pw'] = null;
$config['smtp_helo_host'] = '';
$config['smtp_timeout'] = 0;
$config['smtp_conn_options'] = array (
  'ssl' =>
  array (
    'verify_peer' => true,
    'verify_peer_name' => false,
    'verify_depth' => 3,
    'cafile' => '/etc/letsencrypt/live/mydomain.com/fullchain.pem',
  ),
);

//PLUGINS
$config['plugins'] = array('archive', 'attachment_reminder', 'autologon', 'emoticons', 'enigma', 'help', 'identicon', 'jqueryui', 'managesieve', 'markasjunk', 'password', 'subscriptions_option', 'vcard_attachments', 'zipdownload');
$config['language'] = 'en_US';
$config['spellcheck_engine'] = 'pspell';
$config['draft_autosave'] = 60;

firewall-cmd --list-all

services: dhcpv6-client http https imap imaps pop3 pop3s smtp smtps ssh
ports: 587/tcp 143/tcp 110/tcp 465/tcp 993/tcp 995/tcp

Thanks in advance for any help!


Solution 1:

Got a reply on howtoforge (props to Steini86). Thanks to everyone else for helping me get there.

TL;DR

$config['smtp_server'] = 'tls://localhost/';

should have been

$config['smtp_server'] = 'tls://domain.in.your.certificatefile/';

And reverting almost everything else back to the Roundcube default fixed it.