Your assessment of the problem is correct. By default, Postfix will only send mail for networks specified in the my_networks parameter and hosts that it has been told to relay to. Consequently, when you log in via roundcubemail, it is picking up your public IP and it is rejecting the mail based upon you not being on the appropriate network. (edit) **You probably don't want to make your public IP part of 'my_networks' least you become an open relay!**
This is where the different authentication methods come into play. The Dovecot authentication is rather straight forward. The postfix documentation (link
) shows a code fragment that can pretty much be copied straight into the bottom of your /etc/dovecot.conf. The example shown is for using system accounts, but can also be modified for virtual users where the passwwords are stored in an SQL database instead of the user account passwords. In main.cf the settings are rather trivial with there only being two that are required. A set of ones that I use that are slightly more restrictive are shown below.
Basically, with this option, Postfix will see if the user that is trying to send mail is a valid mail user on that system authenticated by the password and if so, permit it to send mail, regardless of the IP they are coming from. This is really handy when you are away from your home network. However, it only supports PLAIN authentication. For this reason it is imperative that you use TLS so that your password can't be captured by a packet sniffer.
The Flurdy tutorial for postfix should have a solid example of setting this up too. I personally also like the tutorial by Johnny Chadda.
Here are my SASL settings (in main.cf):
smtpd_sasl_type = dovecot
smtpd_sasl_exceptions_networks = $mynetworks
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = <your domain here>
I would also suggest (in dovecot) that if you run into trouble, that you can turn on the three debug functions: verbose, debug, and debug password - though it looks like you have the password part working. Therefore, SASL should be relatively easy for you to implement.