Can you send from the LAN, WAN or neither?

Provided your using authentication it should work unless these ports are blocked on public wifi. If they are blocked on public wifi perhaps you can use z-push instead? z-push uses port 443 which every public wifi hot spot should let you connect to. It doesn't require SMTP port to send from your mobile. To use z-push you need to create an activesync account or exchange account if your on iphone.

z-push supports: Android, iPhone, BlackBerry. Windows phone is also supported but they don't take non trusted SSL certs so you might have to e-mail yourself clearos' certs to get it to work.

To authenticate clients connecting from public WiFi you have a few choices.

1 - You could use something like OpenVPN to connect to your network then authenticate as you would on your LAN by adding the OpenVPN IP range to your trusted network. It is a bit more complicated for the user as they have to connect to OpenVPM first but possible.
2 - Use some form of user/pass authentication and perhaps certificates as well. For any of these to work, in your Webconfig, each user needs to have the App Policy for the SMTP Server User enabled then:
2a - You can open port 25 and enable authentication. I don't like this as it is too open to brute forcing.
2b - Do not enable authentication, but just open port 465 and use SMTPS (aka SMTP/SSL). Authentication is enabled in the background anyway irrespective of the authentication setting in the webconfig. I prefer this as I see far fewer (almost none) hostile connections here, but still set up fail2ban to block repeated login failures.
2c - Similar to 2b, do not enable authentication but open port 587 and use STARTTLS with user/pass authentication. To do this you'll also need to add a line to /etc/postfix/master.cf:

submission inet n       -       n       -       -       smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject

Reload the postfix configuration with a "service postfix reload". You could also add "permit_mynetworks" before "permit_sasl_authenticated". Again, use fail2ban
2d - As 2c but use certificates instead or as well as user/pass. I've seen and tries a set up for this but failed because the Android client I am using (K9 Mail) does not support certificates. Certificates would be the optimal solution as they largely make user/pass redundant and are not subject to brute forcing. fail2ban would be unnecessary as you do not need user/pass authentication. You can use user/pass but without the certificate brute forcing would fail anyway.

For myself I use 2c but I'd love to use 2d but have not found an Android client (free) which supports certificates. I still have port 25 open, without authentication, as I use my own SMTP server to receive mails directly rather than fetchmail or pop/imap but I do not do any relaying through the WAN port 25.

Email server is running fine into office.

im using port 465 and is working fine, firewall incoming port open, and email working fine

my problem is how to authenticate outside clients, when they are a public wifi, when at server we can not add all public wifi s at trusted networks at smtp server

The first thing to check is if your ISP blocks port 25. From the internet see if you get any response from telnetting to port 25. Also check you've opened the firewall to port 25 (which I don't like as there is too much brute forcing of passwords there). If port 25 is open and you still can't contact ClearOS with telnet then your ISP is blocking it. If that is the case then due to a misleading ClearOS configuration, try using port 465 with SMTPS. ClearOS is already set up to use it. All you have to do is open the port. Really this is a better option than using port 25 as there is much less hacking.

I find it odd that ClearOS is set up to use port 465 by default which uses an obsolete standard and not to use STARTTLS on port 587 which was the standard which was ratified in place of SMTPS.

If you do end up using port 25 please make sure you have strong passwords and also run something like fail2ban to try to block brute forcing.

[edit]
And in your client, use your public FQDN as the server IP then in the ClearOS hosts file add your WAN FQDN pointing to your ClearOS LAN IP.
[/edit]

Yes i can send from local network and wan

my problem is how to make outside clients, outlook, thunderbird, android email, to send emails, when they are on a public WiFi by example.

i can sent from lan and wan

at android im using email app included with it.

but i have the same problem with laptops when im using a public wifi i can not send only receive

Thanks

Is the Android device connected to your LAN or the WAN (Data) when you are trying to send e-mails?

Thanks Nick:

at first i can send/receive emails into local network as usuall with thunderbird and outlook port 25 and 110,
now im trying to send via bbery or Android but SMTP authentication reject me, because the ip isnt added at trusted networks.

Can you send from the LAN, WAN or neither?

How have you configured the SMTP options in Android (and what package are you using)?