o Finish the TLS code.  
    * report server certificate details (esp fingerprint) to application
    * report cipher in use to application.
    * API to specify minimum acceptable security levels.

  o SASL
    * New plugin strategy.  If the server lists acceptable mechanisms
      load them all.  If not load all plugins.  Eliminate those which
      cannot negotiate a sufficient security level.  If encryption
      is already in use, eliminate those which *must* encrypt.  Rank
      remaining mechanisms according to the protection afforded to the
      username and password.  Attempt to authenticate using highest rank
      mechanism to lowest.  Special case: if the server offers EXTERNAL
      and the external token has been set, use that as the highest
      ranking mechanism.  If the server refuses a mechanism, back off to
      the next mechanism.  If the server accepts the mechanism but fails
      authentication, end the sequence.  Special exception: if EXTERNAL
      was used and authentication fails, back off to the next mechanism.

  o Make header code do line folding at white spaces.

  o Make header code handle Resent-* headers.

  o Make header code handle list notation in appropriate recipient headers.

  o Review API.

  o Review error reporting.

  o Loadsa documentation.