Using Postfix with an external mail filtering service?

The current Postfix (2.9) configuration is pretty straightforward: MX record points to the server running Postfix, Postfix delivers mail to the user's maildir. Users get their mail over IMAP via dovecot, and relay outbound mail through Postfix over TLS on port 465 with authentication. Here is the lightly-censored /etc/postfix/main.cf:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
myorigin = /etc/mailname

mydomain = example.net

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
delay_warning_time = 4h

readme_directory = no

# SASL
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_sasl_auth_enable = yes

# Anti-spam
disable_vrfy_command = yes
smtpd_helo_required = yes
header_checks = regexp:/etc/postfix/header_checks

smtpd_recipient_restrictions = 
    permit_sasl_authenticated,
    permit_mynetworks,
    reject_invalid_helo_hostname,
    reject_non_fqdn_helo_hostname,
    reject_non_fqdn_sender,
    reject_non_fqdn_recipient,
    reject_unknown_sender_domain,
    reject_unknown_recipient_domain,
    reject_unauth_pipelining,
    reject_unauth_destination,
    check_helo_access pcre:/etc/postfix/helo_checks.pcre
    check_policy_service unix:private/policy-spf
    reject_rbl_client zen.spamhaus.org,

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/figaro.example.net.crt
smtpd_tls_key_file=/etc/ssl/private/figaro.example.net.key
smtpd_tls_CAfile=/etc/ssl/certs/sub.class1.server.ca.pem
smtpd_tls_security_level = may
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_timeout = 3600s
smtp_tls_note_starttls_offer = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# different EHLO response for localhost
# (we speed up roundcube by disabling STARTTLS)
smtpd_discard_ehlo_keyword_address_maps = hash:/etc/postfix/discard_ehlo

myhostname = figaro.example.net
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = figaro.example.net, localhost.example.net, example.net, localhost 
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = .
inet_interfaces = all
home_mailbox = Maildir/
policy-spf_time_limit = 3600s

This has worked fairly well for some time but we're having issues with spam and have decided to contract with an external spam filtering service. How it works is we put their SMTP servers in our domain's MX records and they forward the (ostensibly) legitimate mail to our server.

But I'm having difficulty configuring Postfix in such a way that it:

1. Relays mail from authenticated clients out to the rest of the 'net
2. Accepts mail to local users only from the external mail filtering service

All other attempts at delivering or relaying should be rejected. The spam filtering service lists its outgoing IPs as DNS A records for a given host. Let's say, delivery.example.com. I created /etc/postfix/access as follows (remembering to run postmap /etc/postfix/access afterward):

delivery.example.com OK

And then modified /etc/postfix/main.cf and replaced smtp_recipient_restrictions with:

smtpd_client_restrictions =
    hash:/etc/postfix/access
    permit_sasl_authenticated
    permit_mynetworks
    reject

This works in that mail is accepted from delivery.example.com and is rejected from everywhere else, the problem is that relay access is denied for users trying to send mail out through the server from an ordinary mail client like Thunderbird:

Aug 29 13:37:36 figaro postfix/smtpd[24703]: connect from <censored>
Aug 29 13:37:37 figaro postfix/smtpd[24703]: Anonymous TLS connection established from <censored>: TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)
Aug 29 13:37:38 figaro postfix/smtpd[24703]: NOQUEUE: reject: RCPT from <censored>: 554 5.7.1 <[email protected]>: Relay access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<[192.168.0.1]>
Aug 29 13:37:44 figaro postfix/smtpd[24703]: disconnect from <censored>

I would have thought (even after reading the docs) that permit_sasl_authenticated should have allowed users to send mail through the server, but that doesn't appear to work. (It does work under the current config above. And the server is not an open relay in either case.) Any suggestions?