postfix

How to send mail via Postfix from any IP and only after authorization?

Hello! Postfix is ​​running on standard ports 25 and 465, and Dovecot is running on 143 and 993. Spamassassin is screwed and configured by sieve. At the same time, MySQL is being used, authorization is successful. Incoming from the outer zone temporarily REJECT through iptables, in addition to the IP from which the mail service is being tested. DNS is configured (there are MX, SPF and DKIM, and PTR was created by Bind9 automatically - it works and let it go). Certificates from Let's Encrypt and OpenDKIM are available. Directly from the server, mail is perfectly sent and received. IMAP works fine from the tested IP, but SMTP even after authorization (AUTH PLAIN LOGIN) gives "554 5.5.1 Error: no valid recipients" after entering "DATA". Checked manually via "openssl s_client -connect example.com:465". It is clear from the logs that "postfix/smtps/smtpd: warning:
Here are some Postfix settings:

smtp_use_tls = yes 
smtpd_use_tls = yes 
smtpd_tls_auth_only = yes 
smtpd_tls_received_header = yes 
smtpd_tls_wrappermode = yes 
smtpd_tls_security_level = may 
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.example.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.example.com/privkey.pem
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_security_level = may 
smtp_tls_note_starttls_offer = yes

smtp_tls_loglevel = 1 
smtpd_tls_loglevel = 1 

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes 
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous

myhostname = mail.example.com
mydomain = example.com
myorigin = example.com
mydestination = 
mynetworks = 127.0.0.0/8 X.X.X.X

smtpd_helo_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_non_fqdn_helo_hostname,
    reject_unknown_helo_hostname

smtpd_sender_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_non_fqdn_sender,
    reject_unknown_sender_domain,
    reject_unverified_sender

smtpd_recipient_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_non_fqdn_recipient,
    reject_unknown_recipient_domain,
    reject_unauth_destination

smtpd_relay_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_destination

Communication with the server from the tested IP looks something like this:

220 mail.example.com
EHLO example.com
250-mail.example.com
250-PIPELINING
250-SIZE 51200000
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 SMTPUTF8
AUTH PLAIN xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
235 2.7.0 Authentication successful
MAIL FROM: <[email protected]>
250 2.1.0 Ok
RCPT TO: <[email protected]>
RENEGOTIATING
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = mail.example.com
verify return:1
DATA
554 5.5.1 Error: no valid recipients

Please tell me how you can configure Postfix so that you can send letters from the mail server from "any" IP address and from "any" MUA (Thunderbird, by the way, for some reason refuses to work with the server via SSL, only STARTTLS).