Sorry for the long post...

So I have setup my home email server following the instructions provided at https://workaround.org/ispmail/jessie and everything as far as I can tell was done correctly. I can login to my local roundcube apache interface as user@domain. However I cannot send or receive email. I can send from root to user@domain using sendmail but that doesn't do me any good. I checked my logs (var/log/mail.log) and see the same message whether I am using store\forward or smtp relay dynu service.

store/forward:
Aug 21 20:20:09 mail postfix/smtp[1458]: connect to smtp.dynu.com[207.38.69.195]:2525: Connection timed out
Aug 21 20:20:09 mail postfix/smtp[1458]: E012F2314E: to=<external@domain.net>, relay=none, delay=30, delays=0.1/0.04/30/0, dsn=4.4.1, status=deferred (connect to smtp.dynu.com[207.38.69.195]:2525: Connection timed out)

smtp relay:
Aug 21 23:51:23 mail postfix/smtp[2983]: connect to relay.dynu.com[199.233.237.19]:587: Connection timed out
Aug 21 23:51:23 mail postfix/smtp[2983]: 9987923384: to=<external@domain.net>, relay=none, delay=922, delays=892/0.05/30/0, dsn=4.4.1, status=deferred (connect to relay.dynu.com[199.233.237.19]:587: Connection timed out)

All ports are open and forwarded correctly from my router.

main.cf
==================
# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file = /etc/ssl/certs/mailserver.pem <---self signed cert
smtpd_tls_key_file = /etc/ssl/private/mailserver.pem <---self signed cert
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = host.domain.us
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = byteknight.us, mail.byteknight.us, localhost.byteknight.us, localhost
relayhost = relay.dynu.com:587 <<<<<------This gets changed to smtp.dynu.com:2525 and vice/versa
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes

smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_use_tls = yes
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
==================

Tried telnet and get this:
# telnet 207.38.69.195 2525
Trying 207.38.69.195...

# telnet 199.233.237.19 587
Trying 199.233.237.19...


I'm pulling my hair out trying to figure out how to simply use a home email server without paying the ISP ungodly amounts of money for a static IP to unblock port 25...did not expect this to be so difficult. Any ideas or links that may help me get this working? Thanks!

Thanks for the reply and link to postfix smtp relay, I'm sure I'll refer to it.
https://www.dynu.com/Resources/Tutorials/EmailServices/EmailServerSetup/How-to-configure-postfix-with-SMTP-relay

The telnet commands failing got me thinking; I'm pretty security conscious and have very strict settings on my firewall. As a test I temporarily turned it off and re-tried the telnet commands and got the following:

# telnet relay.dynu.com 587
Trying 199.233.237.19...
telnet: Unable to connect to remote host: Connection refused

# telnet smtp.dynu.com 2525
Trying 207.38.69.195...
telnet: Unable to connect to remote host: Connection refused

# telnet smtp.gmail.com 587
Trying 74.125.206.108...
Trying 74.125.206.109...
Trying 2a00:1450:400c:c04::6d...
telnet: Unable to connect to remote host: Network is unreachable

The last one seemed (at least to me to be a DNS issue, but...
# nslookup smtp.gmail.com
Server: 8.26.56.26
Address: 8.26.56.26#53

Non-authoritative answer:
smtp.gmail.com canonical name = gmail-smtp-msa.l.google.com.
Name: gmail-smtp-msa.l.google.com
Address: 74.125.206.108
Name: gmail-smtp-msa.l.google.com
Address: 74.125.206.109

I looked at my firewall a little closer and noticed I allowed 23 (telnet) out but not in, changed that and added 2525 TCP in and out, same thing. Allowed all undefined ports in and out, effectively making a firewall moot and same thing. What am I missing here?

Weird thing is when I make a change to the firewall and it is applying the changes I go back to the shell and telnet works. After, same problem. Ok, I think I can safely assume the problem is on my router/firewall somewhere...

Is there a port or protocol I need to add/modify on my firewall anyone with more smarts than me can quickly identify?