[CentOS] sendmail + plain auth

I'm probably missing something obvious, but I can get sendmail to give me AUTH
PLAIN and LOGIN options.

What I have is fairly standard configuration.  The relevant part of sendmail.mc
looks something like this:

define(`confCACERT_PATH',`/etc/ssl/certs')
define(`confCACERT',`/etc/ssl/ca-bundle.crt')
define(`confSERVER_CERT',`/etc/ssl/smtp.crt')
define(`confSERVER_KEY',`/etc/ssl/smtp.key')
define(`confAUTH_OPTIONS', `A p')
TRUST_AUTH_MECH(`EXTERNAL LOGIN PLAIN')
define(`confAUTH_MECHANISMS', `EXTERNAL LOGIN PLAIN')
DAEMON_OPTIONS(`Port=25, Name=MTA')
DAEMON_OPTIONS(`Port=465, Name=TLSMTA, M=s')

So basically, LOGIN and PLAIN should be offered when SSL/TLS is in use (but not
for plaintext sessions).  However, when connecting over TLS, sendmail doesn't
advertise them:

$ openssl s_client -connect localhost:465
[ SSL/TLS handshake output deleted, AES256 cipher was used ]
220 testbox.miliv.org ESMTP Unauthorized access prohibited
EHLO localhost
250-testbox.miliv.org Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DELIVERBY
250 HELP

Attempt to "brute-force" use them results in error (as expected):

AUTH PLAIN
504 5.3.3 AUTH mechanism PLAIN not available

I'm sure I'm missing something obvious here, probably a flag or two either in
confAUTH_OPTIONS or in DAEMON_OPTIONS, but couldn't dig out which.

Alraedy drank all coffe, and becoming desparate ;-)

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.