I had imagined sasl authentication would have to be resolved before the smtpd process would be taking commands and responding. I was thinking of how postscreen and postscreen_dnsbl_sites are handled. I've adjusted the picture.
I like the suggestion to make it into "access denied", as this is more accurate. Perhaps "no problem to solve", but now we have better logging for secure smtp and a better error message out of this discussion. Plus some cruft removed from an access file. Thanks, everyone. Have a good weekend.