I finally found a good blog post on the subject of getting Postfix to do SMTP-AUTH via SASL.
I went one step further, and instead of moving
/var/run/saslauthd/ to the Postfix chroot, I did a bind mount:
/var/run/saslauthd /var/spool/postfix/var/run/saslauthd none bind 0 0
Postfix was announcing methods like CRAM-MD5 which can't be supported by the PAM backend, so I restricted them down to PLAIN and LOGIN (over TLS only, obviously):
pwcheck_method: saslauthd mech_list: plain login
Now, it's working nicely, and I can IMAPS and SMTP-AUTH-TLS to my mail server from anywhere.