I finally found a good blog post on the subject of getting Postfix to do SMTP-AUTH via SASL.
I went one step further, and instead of moving
/var/run/saslauthd/ to the Postfix chroot, I did a bind mount:
Postfix was announcing methods like CRAM-MD5 which can’t be supported by the PAM backend, so I restricted them down to PLAIN and LOGIN (over TLS only, obviously):
Now, it’s working nicely, and I can IMAPS and SMTP-AUTH-TLS to my mail server from anywhere.