Here is my main.cf as well. I think I can identify more specifically what you need.
myhostname = ws1.node.example.com
mydomain = node.example.com
mynetworks = 127.0.0.1/32
mydestination = ws1.node.example.com localhost
inet_interfaces = ws1.node.example.com 127.0.0.1
virtual_alias_maps = hash:/vhosts/etc/postfix/virtual_alias_maps
virtual_gid_maps = hash:/vhosts/etc/postfix/virtual_gid_maps
virtual_uid_maps = hash:/vhosts/etc/postfix/virtual_uid_maps
virtual_mailbox_domains = hash:/vhosts/etc/postfix/virtual_mailbox_domains
virtual_mailbox_maps = hash:/vhosts/etc/postfix/virtual_mailbox_maps
virtual_mailbox_base = /vhosts/maildirs
smtpd_sender_login_maps = hash:/vhosts/etc/postfix/smtpd_sender_login_maps
smtpd_helo_required = yes
smtpd_recipient_restrictions = reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_unauth_pipelining, reject_unauth_destination, reject_unknown_hostname, reject_unknown_sender_domain, reject_unknown_client, permit_auth_destination, check_policy_service unix:postgrey/socket, reject_rbl_client xbl.spamhaus.org, reject
And again for completeness, the relevant part of master.cf.
submission inet n - n - - smtpd
Whether you are running virtual mailboxes or local, the key here is the line 'smtpd_recipient_restrictions'. There are lots of directives like that in postfix, and lots of advice you can read about which ones to use, but for a start stick to just this one. Learn about the rest later here http://www.postfix.org/SMTPD_ACCESS_README.html
You can see that in main.cf I have 'smtpd_recipient_restrictions' set with things like 'reject_*' to reject messages that fail various checks, and I have 'permit_auth_destination' which allows locally delivered mail. Everything else is rejected. This is the baseline, nothing but locally deliverable mail.
Now we move on to 'master.cf'. Once you have your 'main.cf' right you could almost copy what I have (at your risk obviously). But again here the key is 'smtpd_recipient_restrictions', which is set to 'permit_mynetworks' so that local senders can forward mail (you may not want this), but more importantly 'permit_sasl_authenticated', which allows authenticated users. All other email is rejected. This overrides the setting in main.cf.
All in, this means that the standard SMTP service on port 25 will use the default setting of local delivery only, and the SMTP service on the submission port 587 will override the setting to only allow authenticated senders.
I hope this helps...