Have followed several of the threads here about relays (and relay denied issues), use of TLS (and an apparent issue in the zmmta.cf between Outlook SPA and Thunderbird), and SPA issues. Unfortunately I'm still missing something which may be relatively obvious.
My status: a happy, working Zimbra system with web functionality working properly (still working on the third party cert, but that's another matter). However, Outlook clients aren't working with SPA and SSL. When the client is set to use SPA, "outgoing server requires authentication", "use same settings as my incoming server", and under Advanced, "The server requires an encrypted connection (SSL)" - I get errors that SMTP rejects my username & password and that POP3 does not support SPA.
Backing off SPA on the Outlook client, POP3 works under SSL but SMTP still rejects the username.
If I back off of SMTP Auth on the Outlook client, all works fine (presumably under SSL since those are still specified in the client) - except the MTA now rejects any outside-domain email since my client isn't authenticated.
On the Global settings, both these are enabled:
Enable Authentication: YES
TLS authentication only: YES (if unchecked, then SMTP SSL fails on Outlook)
I did try the hack to zmmta.cf (placing a ! in front of the smtpd_tls_auth_only) and it caused all SSL/TLS to fail from Outlook.
Any suggestions would be appreciated, especially those that enable SMTP Auth and SPA if possible under Zimbra. I've also tried using a relay host but it is an old SMTP (non-SSL) host and when I set to use it as the relay, the messages fail due to it rejecting a SSL session (which must just get forwarded or redirected from the Zimbra server).