Passwords are passed in clear text, which is why you can add tls over the top to encrypt that traffic. Not really sure what else to say.
Have you read the tls howtos on www.postfix.org?
Note that IMAP sertvers are different, but they should be able to use the same certificate if you want. I don't know cyrus-imap well, but you can get postfix to use dovecot's authentication instead if you want. have a look at http://www.postfix.org/SASL_README.html#server_dovecot