This list does not really follow priority.

* Implement support of CRL checking. OpenSSL 0.9.7 finally supports CRLs,
  so Postfix/TLS should support loading CRLs.

* Cleanup the "pfixtls" special logging, so that it fits Wietses original
  "per site" decision to make debugging easier.

* Move TLS based information from separate lines into Postfix's smtpd
  logging lines to make logfile analysis easier.

* Check the "info_callback" for sensitive use. I already had to remove the
  "warning alert" issued on normal shutdown. Why is a warning issued for
  a normal shutdown??

* Allow to specify the protocol used globally: SSLv2, SSLv3, TLSv1.

* Enhance tls_per_site feature, such that not only MAY, MUST, NONE flags
  are supported. It should also be possible to influence the behaviour:
  choose the SSLv2/SSLv3/TLSv1 protocols.
  [A compatible way to upgrad the tls_per_site table would be to add the
  keywords:
  MUST,SSLv2
  MAY,NO_TLSv1
  ]

* Introduce new tls_per_client table to achieve the same selective behaviour
  for incoming connections.

* Introduce better support for "opportunistic" encryption: collect information
  about peers connecting; log warnings when the key changed etc.
  [I am not sure that I already have the best answers available.]

* Find a way to use the certificates themselves instead of the fingerprints
  to allow certificate based relaying. The maintenance of the fingerprints
  is a nightmare.
