Prereq: "3.5.5"
diff -ur --new-file /var/tmp/postfix-3.5.5/src/global/mail_version.h ./src/global/mail_version.h
--- /var/tmp/postfix-3.5.5/src/global/mail_version.h	2020-07-24 19:56:03.000000000 -0400
+++ ./src/global/mail_version.h	2020-07-26 14:14:48.000000000 -0400
@@ -20,8 +20,8 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20200724"
-#define MAIL_VERSION_NUMBER	"3.5.5"
+#define MAIL_RELEASE_DATE	"20200726"
+#define MAIL_VERSION_NUMBER	"3.5.6"
 
 #ifdef SNAPSHOT
 #define MAIL_VERSION_DATE	"-" MAIL_RELEASE_DATE
diff -ur --new-file /var/tmp/postfix-3.5.5/HISTORY ./HISTORY
--- /var/tmp/postfix-3.5.5/HISTORY	2020-07-24 19:58:56.000000000 -0400
+++ ./HISTORY	2020-07-26 14:28:09.000000000 -0400
@@ -24809,3 +24809,13 @@
 	settings in a system-wide OpenSSL configuration file, causing
 	interoperability problems after an OS update. File:
 	tls/tls_client.c, tls/tls_server.c.
+
+20200726
+
+	Bugfix (introduced: Postfix 3.5.5): part of a memory leak
+	fix was backported to the wrong place. File: tls/tls_misc.c.
+
+	The Postfix 3.5.5 workaround did not explicitly override
+	the system-wide OpenSSL configuration of allowed TLS protocol
+	versions, for sessions where the remote SMTP client sends
+	SNI. It's better to be safe than sorry. File: tls/tls_server.c.
diff -ur --new-file /var/tmp/postfix-3.5.5/src/tls/tls_misc.c ./src/tls/tls_misc.c
--- /var/tmp/postfix-3.5.5/src/tls/tls_misc.c	2020-07-12 16:41:51.000000000 -0400
+++ ./src/tls/tls_misc.c	2020-07-26 13:03:13.000000000 -0400
@@ -922,8 +922,6 @@
 	 */
 	if (SSL_get_signature_nid(ssl, &nid) && nid != NID_undef)
 	    locl_sig_dgst = OBJ_nid2sn(nid);
-
-	X509_free(cert);
     }
     /* Signature algorithms for the peer end of the connection */
     if ((cert = SSL_get_peer_certificate(ssl)) != 0) {
@@ -965,6 +963,8 @@
 	 */
 	if (SSL_get_peer_signature_nid(ssl, &nid) && nid != NID_undef)
 	    peer_sig_dgst = OBJ_nid2sn(nid);
+
+	X509_free(cert);
     }
     if (kex_name) {
 	TLScontext->kex_name = mystrdup(kex_name);
diff -ur --new-file /var/tmp/postfix-3.5.5/src/tls/tls_server.c ./src/tls/tls_server.c
--- /var/tmp/postfix-3.5.5/src/tls/tls_server.c	2020-07-24 18:58:45.000000000 -0400
+++ ./src/tls/tls_server.c	2020-07-26 13:46:34.000000000 -0400
@@ -530,6 +530,7 @@
     /* Enable all supported protocols */
 #if OPENSSL_VERSION_NUMBER >= 0x1010000fUL
     SSL_CTX_set_min_proto_version(server_ctx, 0);
+    SSL_CTX_set_min_proto_version(sni_ctx, 0);
 #endif
 
     /*