I'm not sure which details you need? This happens with all remote setup of a mobile device. It MAY also effect desktops but that is more difficult to test, had one recent issue with a desktop that I ended up putting their IP into mynetworks which allowed them to verify.
I'm having them set their account up as IMAP, using SSL for incoming (993), TLS for outgoing (587). The incoming and outgoing are the same FQDN and then their username and password.
I found commas in the 'smtpd_recipient_restrictions' yesterday and took those out. I was getting spam injected into our server a couple of months ago. They configured headers to appear from our server but with bogus email accounts, I made a change that prevented this, and think this may be part of the problem. One of the suggestions I had followed was entering restrictions in a certain order. In the case of 'smtpd_recipient_restrictions' this put the permits for mynetwork or authenticated after some restriction checks. So, if the suggestion was wrong I may have my restrictions in the wrong order.
mydomain_fallback = localhost
message_size_limit = 104857600
biff = no
mynetworks = 10.0.0.0/8, mail.i6live.us, 174.136.6.72/32, 127.0.0.0/8, [::1]/128
smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated reject_unknown_client_hostname reject_non_fqdn_hostname reject_non_fqdn_sender reject_unknown_recipient_domain reject_rbl_client b.barracudacentral.org permit
recipient_delimiter = +
smtpd_tls_ciphers = medium
inet_protocols = all
inet_interfaces = all
smtpd_enforce_tls = no
smtpd_use_pw_server = yes
relayhost =
mydomain = i6win.us
smtpd_pw_server_security_options = cram-md5,gssapi,login,plain
smtpd_sasl_auth_enable = yes
disable_vrfy_command = yes
smtpd_helo_required = yes
smtpd_delay_reject = no
content_filter = smtp-amavis:[127.0.0.1]:10024
smtpd_reject_unlisted_sender = yes
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_recipient_restrictions = reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, permit_mynetworks, permit_sasl_authenticated, reject_multi_recipient_bounce, reject_non_fqdn_hostname, reject_invalid_hostname, permit
header_checks = pcre:/Library/Server/Mail/Config/postfix/custom_header_checks
myhostname = mail.i6win.us
smtpd_helo_restrictions = permit_mynetworks permit_sasl_authenticated reject_non_fqdn_hostname reject_invalid_hostname reject_non_fqdn_helo_hostname reject_invalid_helo_hostname permit
smtpd_use_tls = yes
enable_server_options = yes
recipient_canonical_maps = hash:/Library/Server/Mail/Config/postfix/system_user_maps
virtual_alias_maps = $virtual_maps hash:/Library/Server/Mail/Config/postfix/virtual_users hash:/Library/Server/Mail/Data/listserver/aliases/list_server_virtual
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
myorigin = $mydomain
relay_domains = $mydestination
mailbox_transport = dovecot
postscreen_dnsbl_sites = zen.spamhaus.org*2
maps_rbl_domains =
virtual_alias_domains = $virtual_alias_maps hash:/Library/Server/Mail/Config/postfix/virtual_domains
smtp_tls_loglevel = 1
smtp_tls_security_level = may
smtpd_require_virtual_map = yes
alias_maps = hash:/Library/Server/Mail/Config/postfix/aliases hash:/Library/Server/Mail/Data/listserver/aliases/list_server_aliases
smtpd_tls_cert_file = /etc/certificates/i6win.us.7B4F4C0D1F6C22C7228299CB07DA4890D6781494.cert.pem
smtpd_tls_CAfile = /etc/certificates/i6win.us.7B4F4C0D1F6C22C7228299CB07DA4890D6781494.chain.pem
smtpd_tls_key_file = /etc/certificates/i6win.us.7B4F4C0D1F6C22C7228299CB07DA4890D6781494.key.pem
smtp_tls_cert_file = /etc/certificates/i6win.us.7B4F4C0D1F6C22C7228299CB07DA4890D6781494.cert.pem
smtp_tls_CAfile = /etc/certificates/i6win.us.7B4F4C0D1F6C22C7228299CB07DA4890D6781494.chain.pem
smtp_tls_key_file = /etc/certificates/i6win.us.7B4F4C0D1F6C22C7228299CB07DA4890D6781494.key.pem