First, I looked over the Dovecot config for glaring issues, since I remember the breakage happening around the time the server was upgraded from Debian Squeeze to Wheezy (Dovecot 1.x to 2.x). I saw none. I abandoned that route at that point because I didn't realize Dovecot was serving up SASL yet.
Next, I looked over Postfix's main.cf to see if somehow TLS had been taken out of the config. Everything looked fine there, key was specified, socket for SASL was specified, I noted that it was using Dovecot for SASL support. Next, I checked to make sure Postfix was running on the right ports (25 and 587)... yep. Netstat -tuap for port names, netstat -tuapn for port numbers. So, on to telnet:
webmail:/etc/postfix# telnet 127.0.0.1 587
Connected to 127.0.0.1.
Escape character is '^]'.
220 webmail.all-spec.com ESMTP Postfix (Debian/GNU)
221 2.0.0 Bye
Connection closed by foreign host.