This bothered me from the moment I got my new postfix mailserver.
Everything worked,tls/amavisd-new/courier/plain-sasl/postfix all with mysql. But somehow I didn’t get sasl working with the virtual user accounts in mysql. I tried almost everything and nothing worked.
Once in a while I tried to get it working again, but every time it ended in a dissapointment.
Until today! Jippie!

The missing link turned out to be using the “-r ” option in saslauthd.sh.
From the saslauthd man pages:

-r      Combine the realm with the login (with an '@' sign in between).
             e.g.  login: "foo" realm: "bar" will get passed as login:
             "foo@bar".  Note that the realm will still be passed, which may
             lead to unexpected behavior.

On freeBSD, add this to rc.conf:

saslauthd_flags="-r -a getpwent"

And in /usr/local/lib/sasl2/smtpd.conf:

sasl_pwcheck_method: auxprop
sasl_auxprop_plugin: sql
sql_engine: mysql
mech_list: login plain crammd6 digestmd5
sql_user: sql-user
sql_passwd: sql-pass
sql_database: postfix
sql_select: SELECT clear FROM postfix_users WHERE email = '%u@%r'
sql_verbose: yes

And don’t forget to restart the saslauthd after editing this file.

# saslauthd -v
saslauthd 2.1.21
authentication mechanisms: sasldb getpwent kerberos5 pam rimap