My internal mail server message:
530 SMTP authentication is required. (in reply to RCPT TO command)

I guess what I'm asking...is ClearOS preventing the connection to my mail server for outbound mail? I haven't been able to authenticate my email client with my outbound mail server.

Should I have SMTP authentication turned on within ClearOS? When I do see this message in the maillog.
warning: unknown[myinternet IP]: SASL LOGIN authentication failed: authentication failure

When I turn authentication off I get this message.
NOQUEUE: reject: RCPT from unknown 454 4.7.1 Relay access denied;

Patrick is spot on. Thanks Patrick! The only safe way to relay email from the outside is to turn on authentication. This too has its risks because now each of your users and their usernames and passwords (if they are weak) are attack vectors for spam. We see this all the time in ClearCARE support where SMTP authentication is turned on to give the results of being able to send mail on the outside but not enough is done to secure the client.

- For example, passwords sent in plain text means that a man in the middle attack on your SMTP service will be able to relay mail now through your SMTP service and destroy your reputation to send mail on the internet. To prevent this, make sure that TLS is turned on and that your clients are only configured with Secure TLS for their SMTP settings and for the POP3 and IMAP setting have them use POP3S and IMAPS (don't even open the non-secure ports)

- Another vector is antivirus on the workstations. We also see that users can be compromised on the inside of the network and hackers can see the passwords they are using through various means. Knowing this and that you have an authentication relay for email means that once again your mail server is compromised and sending spam on behalf of exploitive dorks who rationalize their immoral extortion of your resources in their minds by stating that you had it coming because you failed to secure your network.

- Another vector is that you can have users with bad passwords that make them easy to guess. With authentication now open to the outside, spammers will use probes to attempt to detect authentication vectors. They will even use your own user's usernames as pawns if they are known. And by known I mean that the hackers already send you spam so they know your accounts, see. So they look up the mail domain for that account and see if they can authenticate to it. Even though your mail server uses TLS, they can securely connect and try all day long to guess your user's password. This is why you need to have strong passwords and ALSO why you need to install and use the Attack Detector app under ClearOS 7 (for ClearOS 6 users you will want to set up the open source fail2ban app).

Thanks for the info Dave!

I guess the question at this point is how do I use SASL authentication for "remote clients" to gain SMTP "same network" rights? How does this work if my mail server is already authenticating SMTP connections?

I really need a fairly straight forward solution to allow remote clients/employees the ability to send email when they are not physically on the LAN.

Any further guidance is much appreciated!

There is one more thing you can do. Due to feature (bug) in the ClearOS set up, authentication by SMTPS is permanently enabled. What you can do instead of turning on Authentication, is switch to SMTPS and open incoming tcp:465 in your firewall. Theoretically this is no more secure than turning on authentication and using tcp:25, except that there is still hostile traffic on 465 but far less than on 25. The attack vector is the same and app-attack-detector provides the same defence to 465 as it does to 25. Personally I use STARTTLS on tcp:587 rather than SMTPS, but that requires further configuration of ClearOS.

The SMTPS solution will work both inside and outside your LAN.