Answer found here. The renegotiation is triggered because my the Base 64 representation of my password just happens to start with a capital R, meaning that it will trigger renegotiation as soon as I enter it.
This can be suppressed with the -ign_eof switch. Also from that link, I see that the -crlf is a good idea to ensure that the end-of-message marker is correctly processed (the RFC expects \r\n.\r\n to indicate the end of the message submission.
No idea why this only recently became a problem in Mail.app. Never noticed it before.
Easiest work around for now seems to be to just change my password.
Ok, I've changed my password and tested sending mail from the web interface and over the command line and both work but Mail.app is still being stubborn. Going to reboot just in case it's hanging on to some stale authentication info somewhere (although no idea where that might be, seeing as it should be in the keychain and the keychain is up to date).