Not relevant to your I/O problems, but this is not yet a full implementation of starttls. You'll need to discard any data from before the switch to tls (helo host, from/rcpto, authentication state). IOW, an implicit rset, I think.
The other thing I'd like to know before any TLS patch gets committed: how do most MTA's respond to self-signed certs, since most people don't expect to pay NetSol/Thawte/etc. for a server cert for each of their MX servers. And if self-signed certs are acceptable, it would be a very good idea to document how to generate a cert (or even provide a script). I do it often enough that the command is still in my shell history (!), but I suspect most people would be lost without any hints...
John
