Solved smtp: 535 - Authentication failed


New physical server, 11.0-Release. Trying to set up mail/opensmtpd to replace older server with a working base sendmail and security/cyrus-sasl-saslauthd configuration. The goal being to require TLS-secured authentication on port 587 in order to relay. This is a small server with a few users who might occasionally need email access via phone while remote.

I'm experiencing a 535 - Auth error while trying to setup & validate the email client to server.

# smtpd -dv -T all
appears to show the lookup with the correct user name and password. Having read the man page for opensmtpd's table and paying attention to the Credentials section, I did:
smtpctl encrypt ${password} >> /usr/local/etc/mail/passwd
After which, I edited the file and prepended username to the base64 representation of encrypted password, and separated the two by a single space. The base64 values match. The only difference I can see is in the telnet session running smtpd verbosely. It reads like:
lookup: lookup  "username" as CREDENTIALS in table static:passwd -> "username: $6$B???????????????????...etc..."

Other than the colon separator and surrounding quotes, I'd expect lookup to succeed.

Config /usr/local/etc/mail/smtpd.conf reads
table aliases file:/usr/local/etc/mail/aliases
table passwd file:/usr/local/etc/mail/passwd
pki ...
listen on igb0 inet4 port 587 tls-require pki ... auth <passwd>

/usr/local/etc/mail/passwd is owned by root:wheel, others having no permissions at all. The service runs under user ID _smtpd. Is it possible this is a file permission issue?

The documentation is a bit sparse in some ways, this being one.. Before blindly fiddling with file permissions, I'd appreciate some confirmation or guidance from one with more experience..

mail -s Testing username2
Appears to work. Mail is given over to dovecot on lmtp, and subsequent retrieval by phone on port 993 succeeds. But I'm not certain the mail command from shell runs through the same logic as phone over wlan.
Resolved. Had to spend more time understanding the debug data generated. What I thought was input seemed instead to be output of what the program read from password file. A couple errors compounded my difficulty. Specified
accept from any for domain ...
Despite being a 192.168.2 address, the client wasn't considered "local". The username appeared to be truncated to 8 characters. Reconstructing the password table and truncating that username to 8 appeared to help.