the thing regarding tls_default_ca_cert_file was wrong and is never
needed. EPIPE et al are already "handled" that way. i (foolishly?) don't
expect EINTR or EAGAIN, given that we call poll immediately before.
the sasl todo isn't that important, as we only support plain password
auth with sasl and we don't expect passphrases longer than 300 chars (if
this were violated, the server would just fail our auth attempt with
ERR_SASLTOOLONG/905 (at which point we'd hang, until we implement proper
timeouts during setup. too bad.)).