I'm going through an old copy of The Book of Postfix. It indicates that if you use saslauthd to provide SMTP AUTH, you can only use PLAIN and LOGIN mechanisms, but for CRAM-MD5 and DIGEST-MD5 and others you have to use auxprop. I was wondering if that was still true, as the book is about seven years old. I am interested in having the password exchange process more secure. (Only slightly interested, though... I mean, it's all going to be protected by TLS encryption anyway, right?) But I'm not too interested in messing with auxprop configuration, and I just wanted a PAM-based authentication (with PAM checking simple *nix account credentials).

I'm running postfix-2.7.1 on a small Gentoo Linux system, with cyrus-sasl-2.1.23.

To the best of my knowledge, this is still the case. I last read in the documentation that it supports SASL via Dovecot and Cyrus, but not directly and that it needs to use plain methods of login. As you pointed out, this is why using TLS is important. I haven't followed it or even researched it, but I don't get the impression that Postfix is under active development for addition of features. Rather, most of the activity seems to be in the plugins and tools surrounding Postfix to increase its filtering aspects.