I've just set up a Gentoo Linode with a Postfix/Courier-IMAP/MySQL/Roundcube schema. Local mail is working perfectly, outgoing mail (from console telnet localhost 25 and from Roundcube) also works. We don't have a DNS A or MX record yet, which may make debugging this tricky.

The problem is that I can't receive any mail. Below is a telnet session from my home pc:

hazuki@yagokoro-eirin ~ $ telnet 66.228.35.176 25
Trying 66.228.35.176...
Connected to 66.228.35.176.
Escape character is '^]'.
220 mail.anshell.com ESMTP Postfix (2.7.3)
ehlo gmail.com
250-mail.anshell.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from:azumahazuki@gmail.com
250 2.1.0 Ok
rcpt to:sales@anshell.com
554 5.7.1 <censored[censored]>: Client host rejected: Access denied

Postfix is pretty persnickety, and I'm not sure what's causing this. I'm guessing it's something in smtpd_*_restrictions. My main.cf follows below (the helo_access map only contains three ways to reference the local host from OUTSIDE, which NO legit sender would ever to, and rather strongly-worded REJECT messages for them).

## BEGIN DEFAULT POSTFIX SETTINGS ##

## Some parameters for postfix itself to use

queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = //usr/lib/postfix
data_directory = /var/lib/postfix

sendmail_path = /usr/sbin/sendmail
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq

setgid_group = postdrop
mail_owner = postfix
default_privs = nobody

myhostname = mail.anshell.com
mydomain = mail.anshell.com

debug_peer_level = 2
debug_peer_list = 127.0.0.1

## Sending mail

myorigin = $mydomain

## Receiving mail

# By default, set this to localhost. Gentoo's config is "any," and someone in #postfix had "localhost"
inet_interfaces = all

# The mydestination param is, near as I can make out, what postfix does with mail coming in for one of its
# defined mailboxen. I guess if this were an MX relay it would point somewhere else...?
mydestination = $mydomain

## Rejecting mail - unknown local users

# If a message comes in for someone we don't have a mailbox for, bounce it with err 550
unknown_local_recipient_reject_code = 550

## Relay control

# We really, really don't want anyone using this box as a relay, so we're going to trust only
# the /24 segment of 127.0.0.0 for this. Possibly this can be done without the /24?
mynetworks=127.0.0.0/24

# Blank these out just to be absolutely certain
relay_domains = all
relayhost =

## Aliases
# Since I'll be using MySQL for this, I won't list the usual /etc/mail/aliases here.

## Delivery to mailboxen

# For QMail-style delivery (we're using Courier-IMAP and need these)
home_mailbox = Maildir/

# Default MBox-style delivery destination. We won't be using these but define anyway...
mail_spool_directory = /var/spool/mailbox

## Banner
# When a client (or a curious little mousie with telnet) connects, we need to show a banner.
# According to specifications (RFC), $myhostname needs to be at the start.
smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)

## END DEFAULT POSTFIX SETTINGS ##

## BEGIN SECURITY SETTINGS ##
# This is the section I'm a bit nervous about. Here are the settings added in to (hopefully)
# stop people from using this thing as a spambox. I don't want to see any more .tw addresses
# in /var/log/maillog!

## SMTP Daemon Settings
# Gimme head(er) till I'm dead(er)
smtpd_helo_required = yes

# SASL
smtpd_sasl_auth_enable = yes
smtpd_sasl2_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
# ^---- leave this empty...or not?
broken_sasl_auth_clients = yes
# ^---- Outlook, I'm lookin' at YOU

# Client
smtpd_client_restrictions =
permit_mynetworks,
reject

# HELO
smtpd_helo_restrictions =
permit_mynetworks,
check_helo_access hash:/etc/postfix/helo_access,
reject_non_fqdn_helo_hostname,
reject_unknown_helo_hostname

# Recipient
smtpd_recipient_restrictions =
reject_unauth_pipelining,
reject_non_fqdn_recipient,
reject_invalid_helo_hostname,
reject_unknown_recipient_domain,
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination,
reject_rbl_client zen.spamhaus.org


# Sender
smtpd_sender_restrictions =
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_unauth_destination

# TLS settings
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/postfix/newkey.pem
smtpd_tls_cert_file = /etc/postfix/newcert.pem
smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

## END SECURITY SETTINGS ##

## BEGIN VIRTUAL/MYSQL MAPPING DIRECTIVES ##
# These settings point Postfix at the MySQL database I set up to handle
# Maildir-style mailboxen and credentials. Mostly they point to map
# files and tell postfix to parse them as MySQL.

virtual_mailbox_base = /home/vmail/
virtual_uid_maps = static:1002
virtual_minimum_uid = 1000
virtual_gid_maps = static:1002
virtual_transport = virtual
virtual_create_maildirsize = yes
virtual_mailbox_extended = yes
virtual_mailbox_limit_override = yes
virtual_maildir_limit_message = Sorry, this user's mailbox is over quota; please try again soon.
virtual_overquota_bounce = yes

# Oddly, the people in #postfix say that the server itself MUST be here despite the default config saying not to...
# Ahh, Postfix, you magnificent bastard. Is this an "IQ test" like OpenBSD's god-awful installer or what?
virtual_mailbox_domains = anshell.com

# Minimum UID is 1000 to prevent privileged system users from having a mailbox made for them.
# GID is 1002 here because that's the GID of "vmail," our virtual mail non-user. Ditto for
# the statis UID of 1002 below.
virtual_minimum_uid = 1000
virtual_gid_maps = static:1002
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual.cf

virtual_uid_maps = static:1002
virtual_mailbox_base = /
#virtual_mailbox_limit =

# This is where we define our aliases
alias_maps = mysql:/etc/postfix/mysql-aliases.cf
relocated_maps = mysql:/etc/postfix/mysql-relocated.cf

# Local mail will check the Unix passwd file in addition to the virtuals.
local_transport = local
local_recipient_maps = $alias_maps $virtual_mailbox_maps unix:passwd.byname

## END VIRTUAL/MYSQL MAPPING DIRECTIVES ##

## /etc/init.d/postfix restart && sacrifice_goat && pray
readme_directory = no
sample_directory = /etc/postfix
html_directory = no
manpage_directory = /usr/local/man

Your smtpd_*_restrictions settings are kind of a mess, but your immediate problem is due to this:

smtpd_client_restrictions =
   permit_mynetworks,
   reject

This (in conjunction with your mynetworks setting) tells postfix to only allow incoming smtp connections from localhost. You need to drop the "reject" line.

You also need "permit_sasl_authenticated" in every smtpd_*_restrictions setting, probably right after "permit_mynetworks"

Edit:

I think it's working! I can telnet in from another location, ehlo spoof as gmail.com, and send a message in!