+If
+.B nmh
+has been compiled with SASL support, the
+.B \-sasl
+switch will enable
+the use of SASL authentication with the SMTP MTA. Depending on the
+SASL mechanism used, this may require an additional password prompt from the
+user (but the
+.RI \*(lq \&.netrc \*(rq
+file can be used to store this password).
+.B \-saslmech
+switch can be used to select a particular SASL mechanism,
+and the the
+.B \-user
+switch can be used to select a authorization userid
+to provide to SASL other than the default.
+.PP
+If SASL authentication is successful,
+.BR nmh
+will attempt to negotiate a security layer for session encryption.
+Encrypted data is labelled with `(encrypted)' and `(decrypted)' when
+viewing the SMTP transaction with the
+.B \-snoop
+switch. The
+.B \-saslmaxssf
+switch can be used to select the maximum value of the Security Strength Factor.
+This is an integer value and the exact meaning of this value depends on the
+underlying SASL mechanism. A value of 0 disables encryption.
+.PP
+If
+.B nmh
+has been compiled with TLS support, the
+.B \-tls
+and
+.B \-notls
+switches will require and disable the negotiation of TLS support when connecting to the
+SMTP MTA. Encrypted data is labelled with `(tls-encrypted)' and
+`(tls-decrypted)' when viewing the SMTP transction with the
+.B \-snoop
+switch.
+.PP