Unable to connect from Outlook client (dovecot) (bonus logs included!!)

[atom-dispencer]

• I have setup DMS on a Debian VPS located at iatom.uk using a bare hostname. I would prefer to not use a mail subdomain, but if it is required I will do so.
• I have verified using MXToolbox that my DNS records are all correct (they all come up green).
• I have opened all email ports: 25, 110, 143, 465, 587, 993, 995 on my firewall
• I have used docker compose up -d to start DMS.
• I have verified that DKIM keys are correct (2023-dkim is the name on the DNS record):
  
• I have checked that my user has access to letsencrypt keys, and have verified them.
• I have added a new account. I even copy-and-pasted the password to make sure I couldn't mistype it. I have also deleted and recreated the user with a different password, but still get the same error.

Now, I am trying to add my DMS mailbox using Outlook (I have also tried with Gmail with even less success)

I have tried multiple configurations of Outlook settings.

This fails:

I have found the Outlook and DMS logs:
Outlook account metadata:

{
"Account config settings": {
		"Account type": "IMAP",
		"Email address": "me@iatom.uk",
		"Provider ID": "",
		"Server settings": [
			{
				"Server type": "Incoming",
				"Protocol name": "IMAP",
				"Server name": "iatom.uk",
				"Port": 143,
				"Use secure password authentication (SPA)": true,
				"Encryption method": "TLS",
				"User name": "me@iatom.uk",
				"Password provided": true,
				"Remember password": true
			},
			{
				"Server type": "Outgoing",
				"Protocol name": "SMTP",
				"Server name": "iatom.uk",
				"Port": 25,
				"Use secure password authentication (SPA)": true,
				"Encryption method": "TLS",
				"Outgoing (SMTP) server requires authentication": true,
				"Authentication method": "Same as incoming",
				"Server timeout": 60
			}
		]
	}
}

Outlook incoming:

IMAP: 17:40:55 [db] Connecting to 'iatom.uk' on port 143.
IMAP: 17:40:55 [db] OnNotify: asOld = 0, asNew = 2, ae = 0
IMAP: 17:40:55 [db] srv_name = "iatom.uk" srv_addr = 213.171.203.8:143
IMAP: 17:40:55 [db] OnNotify: asOld = 2, asNew = 3, ae = 1
IMAP: 17:40:55 [db] OnNotify: asOld = 3, asNew = 4, ae = 0
IMAP: 17:40:55 [db] OnNotify: asOld = 4, asNew = 5, ae = 2
IMAP: 17:40:55 [db] OnNotify: asOld = 5, asNew = 5, ae = 4
IMAP: 17:40:55 [db] OnNotify: asOld = 5, asNew = 5, ae = 3
IMAP: 17:40:55 [rx] * OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS LOGINDISABLED] Dovecot ready.
IMAP: 17:40:55 [tx] djdk CAPABILITY
IMAP: 17:40:55 [db] OnNotify: asOld = 5, asNew = 5, ae = 3
IMAP: 17:40:55 [rx] * CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS LOGINDISABLED
IMAP: 17:40:55 [rx] djdk OK Pre-login capabilities listed, post-login capabilities have more.
IMAP: 17:40:55 [tx] 2uqh STARTTLS
IMAP: 17:40:55 [db] OnNotify: asOld = 5, asNew = 5, ae = 3
IMAP: 17:40:55 [rx] 2uqh OK Begin TLS negotiation now.
IMAP: 17:40:55 [db] Negotiating secure connection with 'Microsoft Unified Security Protocol Provider'.
IMAP: 17:40:55 [db] OnNotify: asOld = 5, asNew = 6, ae = 2
IMAP: 17:40:55 [db] OnNotify: asOld = 6, asNew = 5, ae = 2
IMAP: 17:40:55 [tx] ylq4 CAPABILITY
IMAP: 17:40:55 [db] OnNotify: asOld = 5, asNew = 5, ae = 3
IMAP: 17:40:55 [rx] * CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN AUTH=LOGIN
IMAP: 17:40:55 [rx] ylq4 OK Pre-login capabilities listed, post-login capabilities have more.
IMAP: 17:40:55 [tx] LOGIN command sent
IMAP: 17:40:55 [db] OnNotify: asOld = 5, asNew = 5, ae = 3
IMAP: 17:40:55 [rx] * CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE SNIPPET=FUZZY PREVIEW=FUZZY PREVIEW STATUS=SIZE SAVEDATE LITERAL+ NOTIFY SPECIAL-USE QUOTA
IMAP: 17:40:55 [rx] mnuv OK Logged in
IMAP: 17:40:55 [tx] z5iu IDLE
IMAP: 17:40:55 [db] Connection to 'iatom.uk' closed.
IMAP: 17:40:55 [db] OnNotify: asOld = 5, asNew = 0, ae = 5

Outlook Outgoing:

2023.08.06 17:40:55 SMTP (iatom.uk): Port: 25, Secure: TLS, SPA: yes
2023.08.06 17:40:55 SMTP (iatom.uk): Finding host
2023.08.06 17:40:55 SMTP (iatom.uk): Connecting to host
2023.08.06 17:40:55 SMTP (iatom.uk): Connected to host
2023.08.06 17:40:56 SMTP (iatom.uk): <rx> 220 iatom.uk ESMTP
2023.08.06 17:40:56 SMTP (iatom.uk): [tx] EHLO DESKTOP37DJAOA
2023.08.06 17:40:56 SMTP (iatom.uk): <rx> 250-iatom.uk
2023.08.06 17:40:56 SMTP (iatom.uk): <rx> 250-PIPELINING
2023.08.06 17:40:56 SMTP (iatom.uk): <rx> 250-SIZE 10240000
2023.08.06 17:40:56 SMTP (iatom.uk): <rx> 250-ETRN
2023.08.06 17:40:56 SMTP (iatom.uk): <rx> 250-STARTTLS
2023.08.06 17:40:56 SMTP (iatom.uk): <rx> 250-ENHANCEDSTATUSCODES
2023.08.06 17:40:56 SMTP (iatom.uk): <rx> 250-8BITMIME
2023.08.06 17:40:56 SMTP (iatom.uk): <rx> 250-DSN
2023.08.06 17:40:56 SMTP (iatom.uk): <rx> 250 CHUNKING
2023.08.06 17:40:56 SMTP (iatom.uk): Securing connection
2023.08.06 17:40:56 SMTP (iatom.uk): [tx] STARTTLS
2023.08.06 17:40:56 SMTP (iatom.uk): <rx> 220 2.0.0 Ready to start TLS
2023.08.06 17:40:56 SMTP (iatom.uk): Securing connection
2023.08.06 17:40:56 SMTP (iatom.uk): Connected to host
2023.08.06 17:40:56 SMTP (iatom.uk): [tx] EHLO DESKTOP37DJAOA
2023.08.06 17:40:56 SMTP (iatom.uk): <rx> 250-iatom.uk
2023.08.06 17:40:56 SMTP (iatom.uk): <rx> 250-PIPELINING
2023.08.06 17:40:56 SMTP (iatom.uk): <rx> 250-SIZE 10240000
2023.08.06 17:40:56 SMTP (iatom.uk): <rx> 250-ETRN
2023.08.06 17:40:56 SMTP (iatom.uk): <rx> 250-ENHANCEDSTATUSCODES
2023.08.06 17:40:56 SMTP (iatom.uk): <rx> 250-8BITMIME
2023.08.06 17:40:56 SMTP (iatom.uk): <rx> 250-DSN
2023.08.06 17:40:56 SMTP (iatom.uk): <rx> 250 CHUNKING
2023.08.06 17:40:56 SMTP (iatom.uk): Authorizing to server
2023.08.06 17:40:56 SMTP (iatom.uk): Disconnecting from host
2023.08.06 17:40:56 SMTP (iatom.uk): Disconnected from host

DMS log

Aug  6 16:22:49 iatom.uk dovecot: imap-login: Login: user=<me@iatom.uk>, method=PLAIN, rip=84.71.125.70, lip=172.21.0.2, mpid=6255, TLS, session=<pgCAikMC8/FUR31G>
Aug  6 16:22:50 iatom.uk dovecot: imap(me@iatom.uk)<6255><pgCAikMC8/FUR31G>: Disconnected: Connection closed (IDLE running for 0.001 + waiting input for 0.002 secs, 2 B in + 10 B out, state=wait-input) in=11 out=436 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
Aug  6 16:22:50 iatom.uk postfix/postscreen[6256]: CONNECT from [84.71.125.70]:61940 to [172.21.0.2]:25
Aug  6 16:22:50 iatom.uk postfix/postscreen[6256]: PASS OLD [84.71.125.70]:61940
Aug  6 16:22:50 iatom.uk postfix/smtpd[6257]: connect from unknown[84.71.125.70]
Aug  6 16:22:50 iatom.uk postfix/smtpd[6257]: Anonymous TLS connection established from unknown[84.71.125.70]: TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)
Aug  6 16:22:50 iatom.uk postfix/smtpd[6257]: lost connection after EHLO from unknown[84.71.125.70]
Aug  6 16:22:50 iatom.uk postfix/smtpd[6257]: disconnect from unknown[84.71.125.70] ehlo=2 starttls=1 commands=3

Result of docker exec -ti mailserver doveconf -n

# 2.3.20 (80a5ac675d): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.20 (149edcf2)
# OS: Linux 6.1.0-10-cloud-amd64 x86_64 Debian 11.7 ext4
# Hostname: iatom.uk
auth_mechanisms = plain login
auth_verbose = yes
auth_verbose_passwords = sha1:6
hostname = iatom.uk
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
mail_location = maildir:/var/mail/%d/%n
mail_plugins = " quota"
mail_privileged_group = docker
maildir_stat_dirs = yes
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext imapflags notify imapsieve vnd.dovecot.imapsieve vnd.dovecot.pipe vnd.dovecot.filter
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
    auto = subscribe
    special_use = \Drafts
  }
  mailbox Junk {
    auto = subscribe
    special_use = \Junk
  }
  mailbox Sent {
    auto = subscribe
    special_use = \Sent
  }
  mailbox Trash {
    auto = subscribe
    special_use = \Trash
  }
  prefix =
}
passdb {
  args = scheme=SHA512-CRYPT username_format=%u /etc/dovecot/userdb
  driver = passwd-file
}
plugin {
  quota = count:User quota
  quota_grace = 10%%
  quota_max_mail_size = 10M
  quota_rule = *:storage=0
  quota_rule2 = Trash:storage=+50M
  quota_status_nouser = DUNNO
  quota_status_overquota = 552 5.2.2 Mailbox is full
  quota_status_success = DUNNO
  quota_vsizes = yes
  quota_warning = storage=95%% quota-warning 95 %u %d
  quota_warning2 = storage=80%% quota-warning 80 %u %d
  quota_warning3 = -storage=100%% quota-warning below %u %d
  sieve = ~/.dovecot.sieve
  sieve_after = /usr/lib/dovecot/sieve-global/after/
  sieve_before = /usr/lib/dovecot/sieve-global/before/
  sieve_dir = ~/sieve
  sieve_extensions = +notify +imapflags +vnd.dovecot.pipe +vnd.dovecot.filter
  sieve_filter_bin_dir = /usr/lib/dovecot/sieve-filter
  sieve_pipe_bin_dir = /usr/lib/dovecot/sieve-pipe
  sieve_plugins = sieve_imapsieve sieve_extprograms
}
postmaster_address = postmaster@iatom.uk
protocols = " imap lmtp"
service aggregator {
  chroot =
}
service anvil {
  chroot =
}
service auth {
  unix_listener /dev/shm/sasl-auth.sock {
    group = postfix
    mode = 0660
    user = postfix
  }
  unix_listener auth-master {
    group = docker
    mode = 0600
    user = docker
  }
  unix_listener auth-userdb {
    group = docker
    mode = 0666
    user = docker
  }
}
service director {
  chroot =
}
service imap-login {
  chroot =
  inet_listener imaps {
    port = 993
    ssl = yes
  }
}
service imap-urlauth-login {
  chroot =
}
service ipc {
  chroot =
}
service lmtp {
  unix_listener lmtp {
    group = postfix
    mode = 0660
  }
}
service managesieve-login {
  chroot =
}
service old-stats {
  chroot =
}
service pop3-login {
  chroot =
  inet_listener pop3s {
    port = 995
    ssl = yes
  }
}
service quota-status {
  client_limit = 1
  executable = quota-status -p postfix
  inet_listener {
    address = 127.0.0.1
    port = 65265
  }
}
service quota-warning {
  executable = script /usr/local/bin/quota-warning
  unix_listener quota-warning {
    group = dovecot
    mode = 0660
    user = dovecot
  }
}
service stats {
  unix_listener stats-reader {
    mode = 00
  }
  unix_listener stats-writer {
    mode = 00
  }
}
service submission-login {
  chroot =
}
ssl = required
ssl_cert = </etc/letsencrypt/live/iatom.uk/fullchain.pem
ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
ssl_prefer_server_ciphers = yes
stats_writer_socket_path =
userdb {
  args = username_format=%u /etc/dovecot/userdb
  default_fields = uid=docker gid=docker home=/var/mail/%d/%u
  driver = passwd-file
}
protocol lmtp {
  mail_plugins = " quota sieve"
}
protocol lda {
  mail_plugins = " quota sieve"
}
protocol imap {
  mail_plugins = " quota imap_quota"
}

Result of docker exec -ti mailserver postconf -n

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
compatibility_level = 2
content_filter = smtp-amavis:[127.0.0.1]:10024
disable_vrfy_command = yes
dkim_milter = inet:localhost:8891
dmarc_milter = inet:localhost:8893
dms_smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain
header_checks = pcre:/etc/postfix/maps/header_checks.pcre
inet_interfaces = all
inet_protocols = all
mailbox_size_limit = 0
message_size_limit = 10240000
milter_default_action = accept
milter_protocol = 6
mua_sender_restrictions = $dms_smtpd_sender_restrictions
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = iatom.uk
myhostname = iatom.uk
mynetworks =
non_smtpd_milters = $dkim_milter
policyd-spf_time_limit = 3600
postscreen_bare_newline_action = enforce
postscreen_dnsbl_action = ignore
postscreen_dnsbl_sites =
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_whitelist_threshold = -1
postscreen_greet_action = enforce
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_header_checks = pcre:/etc/postfix/maps/sender_header_filter.pcre
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_loglevel = 1
smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtp_tls_security_level = may
smtpd_banner = $myhostname ESMTP
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unauth_pipelining
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname, permit
smtpd_milters = $dkim_milter $dmarc_milter
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_policy_service unix:private/policyd-spf, reject_unauth_pipelining, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_recipient_domain, check_policy_service inet:localhost:65265
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_sasl_auth_enable = no
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_path = /dev/shm/sasl-auth.sock
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = $dms_smtpd_sender_restrictions
smtpd_tls_CApath = /etc/ssl/certs
smtpd_tls_chain_files = /etc/letsencrypt/live/iatom.uk/privkey.pem /etc/letsencrypt/live/iatom.uk/fullchain.pem
smtpd_tls_dh1024_param_file = /etc/postfix/dhparams.pem
smtpd_tls_exclude_ciphers = aNULL, SEED, CAMELLIA, RSA+AES, SHA1
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_security_level = may
smtputf8_enable = no
tls_high_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
tls_preempt_cipherlist = yes
tls_ssl_options = NO_COMPRESSION, NO_RENEGOTIATION
virtual_alias_maps = texthash:/etc/postfix/virtual
virtual_mailbox_domains = /etc/postfix/vhost
virtual_mailbox_limit = 0
virtual_mailbox_maps = texthash:/etc/postfix/vmailbox
virtual_transport = lmtp:unix:/var/run/dovecot/lmtp

[casperklein]

Authentication on port 25 has been disabled in the latest release. Use port 465 instead, with implicit TLS/SSL (not STARTSSL).

[atom-dispencer]

Thank you, yes this works.

For anyone from the future, my email configuration is now:

Incoming:
Server: my.email.domain
Port: 143
STARTTLS
Use SPA

Outgoing:
Server: my.email.domain
Port: 465
TLS/SSL
Use SPA