Well, looks like you are confusing SMTPD with SMTP. These two beast has different purpose in postfix terms. smtpd was SMTP server used for receiving email, it bind to specific port (for example 25, 587, 465). smtp was SMTP client used for sending email, it connect to SMTP server port.
Another confusion here is about STARTTLS, SMTPS and unencryption email. By default postfix will send and receive email without encryption. For encryption method, SMTP has two schema: STARTTLS and SMTPS. With STARTTLS, client will initiate connection with unencrypted form and upgrade it to encrypted one later. Now SMTPS for SMTP was like HTTPS for HTTP. Unlike STARTTLS, client will initiate connection by TLS negotiation and then start SMTP chit-chat on top TLS. Usually smtpd with STARTTLS capability listen in port 587, and STMPS in port 465. For another reference, see this SO question: What is the difference between ports 465 and 587?
Now, we will talk about postfix. By default, each process in postfix will get configuration from main.cf (you can view the changes via postconf -n like above). Of course you can override per postfix service via master.cf like you do for three smtpd processes for different port. In this case you want to override the option so
- port 25 (smtp) shouldn't gives you certificate warning and shouldn't offer STARTTLS
- port 587 (submission) should offer STARTTLS and gives you certificate warning
- port 465 (smtps) should talk with SMTPS and gives you certificate warning
To turn off certificate warning in port 25, just specify smtpd_tls_security_level = none like
smtp inet n - - - - smtpd
-o smtpd_tls_auth_only=yes
-o smtpd_sasl_auth_enable=no
-o smtpd_tls_security_level=none
You can notice that I replace smtp_ parameter with smtpd_. See official documentation about smtpd_tls_security_level.
To enable SMTPS for port 465, use parameter smtpd_tls_wrappermode = yes. Your config above looks OK.
Now, because we need STARTTLS (not SMTPS) in port 587, you doesn't need to specify smtpd_tls_wrappermode = yes in submission service. Remove it.
The error that you get when connect to port 587 was caused by this smtpd_tls_wrappermode parameter. Postfix expects you to talk with encrypted traffic and you specify command in plain text.
Best Answer
Sounds like Exim is configured to deny incoming connections from 127.0.0.1 to me. Does tailing your "exim-main" log tell you anything? (This file is likely located in /var/log/exim/exim-main, but it doesn't have to be.)
A connect ACL in the exim.conf could be doing this, as could a TCP wrapper configuration. Have a look at /etc/hosts.allow and see if there are any "exim" lines. Likewise, have a look at your exim.conf and see if there's a acl_smtp_connect entry. If you are comfortable with it, post your exim.conf and we'll look at it.