Prereq: "3.2.17"
diff -ur --new-file /var/tmp/postfix-3.2.17/src/global/mail_version.h ./src/global/mail_version.h
--- /var/tmp/postfix-3.2.17/src/global/mail_version.h	2020-06-27 17:23:57.000000000 -0400
+++ ./src/global/mail_version.h	2020-07-24 19:51:37.000000000 -0400
@@ -20,8 +20,8 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20200627"
-#define MAIL_VERSION_NUMBER	"3.2.17"
+#define MAIL_RELEASE_DATE	"20200724"
+#define MAIL_VERSION_NUMBER	"3.2.18"
 
 #ifdef SNAPSHOT
 #define MAIL_VERSION_DATE	"-" MAIL_RELEASE_DATE
diff -ur --new-file /var/tmp/postfix-3.2.17/HISTORY ./HISTORY
--- /var/tmp/postfix-3.2.17/HISTORY	2020-06-27 17:20:02.000000000 -0400
+++ ./HISTORY	2020-07-24 19:58:07.000000000 -0400
@@ -23343,3 +23343,21 @@
 	for the expanded CNAME. Therefore, sending the correct SNI
 	name should not break existing mail flows. Fixed by Viktor
 	Dukhovni. File: src/tls/tls_client.c.
+
+20200710
+
+	Bugfix (introduced: Postfix 3.0): minor memory leaks in the
+	Postfix TLS library, found during tests. File: tls/tls_misc.c.
+
+20200712
+
+	Bugfix (introduced: Postfix 3.0): 4kbyte per session memory
+	leak in the Postfix TLS library, found during tests. File:
+	tls/tls_misc.c.
+
+20200724
+
+	Workaround for distros that override Postfix protocol
+	settings in a system-wide OpenSSL configuration file, causing
+	interoperability problems after an OS update. File:
+	tls/tls_client.c, tls/tls_server.c.
diff -ur --new-file /var/tmp/postfix-3.2.17/src/tls/tls_client.c ./src/tls/tls_client.c
--- /var/tmp/postfix-3.2.17/src/tls/tls_client.c	2020-06-27 17:20:29.000000000 -0400
+++ ./src/tls/tls_client.c	2020-07-24 19:48:33.000000000 -0400
@@ -375,6 +375,11 @@
     off |= tls_bug_bits();
     SSL_CTX_set_options(client_ctx, off);
 
+    /* Enable all supported protocols */
+#if OPENSSL_VERSION_NUMBER >= 0x1010000fUL
+    SSL_CTX_set_min_proto_version(client_ctx, 0);
+#endif
+
     /*
      * Set the call-back routine for verbose logging.
      */
diff -ur --new-file /var/tmp/postfix-3.2.17/src/tls/tls_misc.c ./src/tls/tls_misc.c
--- /var/tmp/postfix-3.2.17/src/tls/tls_misc.c	2019-06-25 17:14:41.000000000 -0400
+++ ./src/tls/tls_misc.c	2020-07-12 16:45:42.000000000 -0400
@@ -961,6 +961,8 @@
 	 */
 	if (SSL_get_signature_nid(ssl, &nid) && nid != NID_undef)
 	    locl_sig_dgst = OBJ_nid2sn(nid);
+
+	X509_free(cert);
     }
     /* Signature algorithms for the peer end of the connection */
     if ((cert = SSL_get_peer_certificate(ssl)) != 0) {
@@ -1189,6 +1191,22 @@
 	myfree(TLScontext->peer_cert_fprint);
     if (TLScontext->peer_pkey_fprint)
 	myfree(TLScontext->peer_pkey_fprint);
+    if (TLScontext->kex_name)
+	myfree((void *) TLScontext->kex_name);
+    if (TLScontext->kex_curve)
+	myfree((void *) TLScontext->kex_curve);
+    if (TLScontext->clnt_sig_name)
+	myfree((void *) TLScontext->clnt_sig_name);
+    if (TLScontext->clnt_sig_curve)
+	myfree((void *) TLScontext->clnt_sig_curve);
+    if (TLScontext->clnt_sig_dgst)
+	myfree((void *) TLScontext->clnt_sig_dgst);
+    if (TLScontext->srvr_sig_name)
+	myfree((void *) TLScontext->srvr_sig_name);
+    if (TLScontext->srvr_sig_curve)
+	myfree((void *) TLScontext->srvr_sig_curve);
+    if (TLScontext->srvr_sig_dgst)
+	myfree((void *) TLScontext->srvr_sig_dgst);
     if (TLScontext->errorcert)
 	X509_free(TLScontext->errorcert);
     if (TLScontext->untrusted)
diff -ur --new-file /var/tmp/postfix-3.2.17/src/tls/tls_server.c ./src/tls/tls_server.c
--- /var/tmp/postfix-3.2.17/src/tls/tls_server.c	2018-11-17 17:54:43.000000000 -0500
+++ ./src/tls/tls_server.c	2020-07-24 19:48:33.000000000 -0400
@@ -526,6 +526,11 @@
 
     SSL_CTX_set_options(server_ctx, off);
 
+    /* Enable all supported protocols */
+#if OPENSSL_VERSION_NUMBER >= 0x1010000fUL
+    SSL_CTX_set_min_proto_version(server_ctx, 0);
+#endif
+
     /*
      * Global protocol selection.
      */