In your configuration file, add a new TCP/IP channel definition with a distinct name; for example:
tcp_auth smtp single_sys mx mustsaslserver noswitchchannel TCP-INTERNAL
This channel should not allow regular channel switching (that is, it should have noswitchchannel on it either explicitly or implied by a prior defaults line). This channel should have mustsaslserver on it.
Modify your tcp_local channel by adding maysaslserver and saslswitchchannel tcp_auth, as shown in the following example:
tcp_local smtp mx single_sys maysaslserver saslswitchchannel \ tcp_auth switchchannel |TCP-DAEMON
With this configuration, SMTP mail sent by users who can authenticate with a local password will now come in the tcp_auth channel. Unauthenticated SMTP mail sent from internal hosts will still come in tcp_internal. All other SMTP mail will come in tcp_local.