This list should be much longer, but I am too lazy to type :)

Add a database of servers which must support TLS to "smtp", so that nobody
  can intercept mails to these servers.

Think about adding information about the TLS-connection to the Received:
  lines. This would improve the information, but could also lead to a
  false feeling of security, as the Header might be forged.

SSL_read()/SSL_write(): around 1999/04/15 a detailed discussion about the
  difference between UNIX read()/write() is going on in openssl-users.
  Once the final state is arrived I might rework pfixtls_read()/pfixtls_write()
  to more precise behaviour.
