How to enable SMTP AUTH with FreeBSD default Sendmail

1) Add the following to  /etc/make.conf:

    # Add SMTP AUTH support to Sendmail
    SENDMAIL_CFLAGS+=	-I/usr/local/include/sasl1 -DSASL
    SENDMAIL_LDFLAGS+=	-L/usr/local/lib
    SENDMAIL_LDADD+=	-lsasl

    NOTE: 1. Sendmail 8.10 - 8.11 needS -D_FFR_UNSAFE_SASL added
          to SENDMAIL_CFLAGS, if you need the GroupReadableSASLFile option

    Starting with Sendmail 8.12.4, you can also use the security/cyrus-sasl2
    port.  Then you will not need the SASL V1 port installed.

    SENDMAIL_CFLAGS=-I/usr/local/include -DSASL=2
    SENDMAIL_LDFLAGS=-L/usr/local/lib
    SENDMAIL_LDADD=-lsasl2


2) Rebuild FreeBSD (make buildworld, ...)

3) Make sure that the pwcheck_method is correct in Sendmail.conf.

   Sendmail.conf (${PREFIX}/lib/sasl{,2}/Sendmail.conf) is created by
   the cyrus-sasl and cyrus-sasl2 ports during installation.  It may have
   pwcheck_method set to either pwcheck (V1 only) or saslauthd (V1 & V2) by
   default.  Change this to what is appropriate for your site.

4) Add the following to your sendmail.mc file:

   dnl The group needs to be mail in order to read the sasldb file
   define(`confRUN_AS_USER',`root:mail')dnl

   TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5')dnl
   define(`confAUTH_MECHANISMS',`DIGEST-MD5 CRAM-MD5')dnl

   dnl Use the following for Sendmail 8.12
   define(`confDONT_BLAME_SENDMAIL',`GroupReadableSASLDBFile')dnl

   dnl Use the following for Sendmail 8.10 - 8.11
   define(`confDONT_BLAME_SENDMAIL',`GroupReadableSASLFile')dnl

5) Add the following before FEATURE(msp) in your sendmail 8.12 submit.mc file:

   DAEMON_OPTIONS(`Name=NoMTA, Addr=127.0.0.1, M=EA')dnl

   This disables SMTP AUTH on the loopback interface. Otherwise you may get
   the following error in the log:

	error: safesasl(/usr/local/etc/sasldb) failed: Group readable file

   when sending mail locally (seen when using pine locally on same server).

 ----

   Additional AUTH Mechanisms are LOGIN, PLAIN, GSSAPI, and KERBEROS_V4.
   These can be added to TRUST_AUTH_MECH and confAUTH_MECHANISMS as a space
   seperated list.  You may want to restrict LOGIN, and PLAIN authentication
   methods for use with STARTTLS, as the password is not encrypted when
   passed to sendmail.

   LOGIN is required for Outlook Express users.  "My server requires
   authentication" needs to be checked in the accounts properties to 
   use SASL Authentication.

   PLAIN is required for Netscape Communicator users.  By default Netscape
   Communicator will use SASL Authentication when sendmail is compiled with
   SASL and will cause your users to enter their passwords each time they
   retreive their mail (NS 4.7).

   The DONT_BLAME_SENDMAIL option GroupReadableSASL[DB]File is needed when you
   are using cyrus-imapd and sendmail on the same server that requires access
   to the sasldb database.