TLS just enables encryption on the smtp session and doesn't directly affect whether or not Postfix will be allowed to relay a message.
The relaying denied message occurs because the smtpd_recipient_restrictions rules was not matched. One of those conditions must be fulfilled to allow the message to go through:
smtpd_recipient_restrictions =
permit_sasl_authenticated
check_recipient_access hash:/etc/postfix/filtered_domains
permit_mynetworks
reject_unauth_destination
To explain those rules:
permit_sasl_authenticated
permits authenticated senders through SASL. This will be necessary to authenticate users outside of your network which are normally blocked.
check_recipient_access
This will cause postfix to look in /etc/postfix/filtered_domains for rules based on the recipient address. (Judging by the file name on the file name, it is probably just blocking specific domains... Check to see if gmail.com is listed in there?)
permit_mynetworks
This will permit hosts by IP address that match IP ranges specified in $mynetworks. In the main.cf you posted, $mynetworks was set to 127.0.0.1, so it will only relay emails generated by the server itself.
Based on that configuration, your mail client will need to use SMTP Authentication before being allowed to relay messages. I'm not sure what database SASL is using. That is specified in /usr/lib/sasl2/smtpd.conf Presumably it also uses the same database as your virtual mailboxes, so you should be able enable SMTP authentication in your mail client and be all set.
I also tried doing this with sendmail relaying via gmail, but opted to use postfix instead as it seemed MUCH more simple to setup. You dont have to go through the process of creating self signed certificates etc.. This howto is for gmail, but the process should be very similar for Office 365. Just a matter of finding out the server names, and authentication scheme.
http://rs20.mine.nu/w/2011/07/gmail-as-relay-host-in-postfix/
Geo
Best Answer
With netcat, it's more-or-less impossible*.
You need a utilty which supports tls/ssl - you can try with snetcat or any other netcat clones.
*you have to do a ssl handshake first, exchange keys, encrypt, send, and then decrypt recieved data