+
+If nmh has been compiled with APOP #defined, the `\-apop' switch will cause
+\fIinc\fR to use APOP rather than standard POP3 authentication. Under APOP, a
+unique string (generally of the format
+<\fIpid\fR.\fItimestamp\fR@\fIhostname\fR>) is announced by the POP server.
+Rather than `USER \fIuser\fR', `PASS \fIpassword\fR', inc sends `APOP \fIuser\fR
+\fIdigest\fR', where digest is the MD5 hash of the unique string followed by a
+`secret' shared by client and server, essentially equivalent to the user's
+password (though an APOP-enabled POP3 server could have separate APOP and plain
+POP3 passwords for a single user). `\-noapop' disables APOP in cases where it'd
+otherwise be used.
+
+If nmh has been compiled with KPOP #defined, the `\-kpop' switch will allow
+\fIinc\fR to use Kerberized POP rather than standard POP3 on a given invocation.
+If POPSERVICE was also #defined to "kpop", \fIinc\fR will be hardwired to always
+use KPOP.
+
+If nmh has been compiled with SASL support, the `\-sasl' switch will enable
+the use of SASL authentication. Depending on the SASL mechanism used, this
+may require an additional password prompt from the user (but the
+\*(lq.netrc\*(rq file can be used to store this password). The
+`\-saslmech' switch can be used to select a particular SASL mechanism.
+
+If SASL authentication is successful, \fIinc\fR will attempt to negotiate
+a security layer for session encryption. Encrypted traffic is labelled
+with `(encrypted)' and `(decrypted)' when viewing the POP transaction
+with the `\-snoop' switch.