Prereq: "3.2.10"
diff -ur --new-file /var/tmp/postfix-3.2.10/src/global/mail_version.h ./src/global/mail_version.h
--- /var/tmp/postfix-3.2.10/src/global/mail_version.h	2019-06-29 09:57:11.000000000 -0400
+++ ./src/global/mail_version.h	2019-09-21 12:26:12.000000000 -0400
@@ -20,8 +20,8 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20190629"
-#define MAIL_VERSION_NUMBER	"3.2.10"
+#define MAIL_RELEASE_DATE	"20190921"
+#define MAIL_VERSION_NUMBER	"3.2.11"
 
 #ifdef SNAPSHOT
 #define MAIL_VERSION_DATE	"-" MAIL_RELEASE_DATE
diff -ur --new-file /var/tmp/postfix-3.2.10/HISTORY ./HISTORY
--- /var/tmp/postfix-3.2.10/HISTORY	2019-06-27 19:23:01.000000000 -0400
+++ ./HISTORY	2019-09-21 11:55:47.000000000 -0400
@@ -23186,3 +23186,48 @@
 	handshake failure, causing stale numbers to be reported.
 	The command counts are now reset in the function that reports
 	the counts. File: smtpd/smtpd.c.
+
+20190723
+
+	Bugfix: the documentation said tls_fast_shutdown_enable,
+	but the code said tls_fast_shutdown. Viktor Dukhovni. Changed
+	the code because no-one is expected to override the default.
+	File: global/mail_params.h.
+
+20190820
+
+	Workaround for poor TCP loopback performance on LINUX, where
+	getsockopt(..., TCP_MAXSEG, ..) reports a TCP maximal segment
+	size that is 1/2 to 1/3 of the MTU. For example, with kernel
+	5.1.16-300.fc30.x86_64 the TCP client and server announce
+	an mss of 65495 in the TCP handshake, but getsockopt()
+	returns 32741 (less than half). As a matter of principle,
+	Postfix won't turn on client-side TCP_NODELAY because that
+	hides application performance bugs, and because that still
+	suffers from server-side delayed ACKs. Instead, Postfix
+	avoids sending "small" writes back-to-back, by choosing a
+	VSTREAM buffer size that is a multiple of the reported MSS.
+	This workaround bumps the multiplier from 2x to 4x. File:
+	util/vstream_tweak.c.
+
+20190825
+
+	Bugfix (introduced: 20051222): the Dovecot client could
+	segfault (null pointer read) or cause an SMTP server assertion
+	to fail when talking to a fake Dovecot server. The client
+	now logs a proper error instead. Problem reported by Tim
+	Düsterhus. File: xsasl/xsasl_dovecot_server.c.
+
+20190914
+
+	Bitrot: don't invoke SSL_shutdown() when the SSL engine
+	thinks it is processing a TLS handshake. The commit at
+	https://github.com/openssl/openssl/commit/64193c8218540499984cd63cda41f3cd491f3f59
+	changed the error status, incompatibly, from SSL_ERROR_NONE
+	into SSL_ERROR_SSL. File: tlsproxy/tlsproxxy.c.
+
+20190921 (backport from Postfix >= 3.4)
+
+	Bugfix (introduced: Postfix-2.9.0): null pointer read, while
+	logging a warning after a postscreen_command_filter read
+	error. File: postscreen/postscreen_smtpd.c.
diff -ur --new-file /var/tmp/postfix-3.2.10/src/global/mail_params.h ./src/global/mail_params.h
--- /var/tmp/postfix-3.2.10/src/global/mail_params.h	2019-06-27 19:35:46.000000000 -0400
+++ ./src/global/mail_params.h	2019-07-23 18:46:37.000000000 -0400
@@ -3310,7 +3310,7 @@
  /*
   * The default is backwards-incompatible.
   */
-#define VAR_TLS_FAST_SHUTDOWN	"tls_fast_shutdown"
+#define VAR_TLS_FAST_SHUTDOWN	"tls_fast_shutdown_enable"
 #define DEF_TLS_FAST_SHUTDOWN	1
 extern bool var_tls_fast_shutdown;
 
diff -ur --new-file /var/tmp/postfix-3.2.10/src/postscreen/postscreen_smtpd.c ./src/postscreen/postscreen_smtpd.c
--- /var/tmp/postfix-3.2.10/src/postscreen/postscreen_smtpd.c	2016-07-30 15:55:44.000000000 -0400
+++ ./src/postscreen/postscreen_smtpd.c	2019-06-30 13:22:50.000000000 -0400
@@ -896,7 +896,8 @@
 		vstring_strcpy(state->cmd_buffer, cp);
 	    } else if (psc_cmd_filter->error != 0) {
 		msg_fatal("%s:%s lookup error for \"%.100s\"",
-			  psc_cmd_filter->type, psc_cmd_filter->name, cp);
+			  psc_cmd_filter->type, psc_cmd_filter->name,
+			  STR(state->cmd_buffer));
 	    }
 	}
 
diff -ur --new-file /var/tmp/postfix-3.2.10/src/tlsproxy/tlsproxy.c ./src/tlsproxy/tlsproxy.c
--- /var/tmp/postfix-3.2.10/src/tlsproxy/tlsproxy.c	2019-06-29 09:34:06.000000000 -0400
+++ ./src/tlsproxy/tlsproxy.c	2019-09-20 19:16:23.000000000 -0400
@@ -506,9 +506,8 @@
     if (NBBIO_ERROR_FLAGS(plaintext_buf)) {
 	if (NBBIO_ACTIVE_FLAGS(plaintext_buf))
 	    nbbio_disable_readwrite(state->plaintext_buf);
-	ssl_stat = SSL_shutdown(tls_context->con);
-	/* XXX Wait for return value 1 if sessions are to be reused? */
-	if (ssl_stat < 0) {
+	if (!SSL_in_init(tls_context->con)
+	    && (ssl_stat = SSL_shutdown(tls_context->con)) < 0) {
 	    handshake_err = SSL_get_error(tls_context->con, ssl_stat);
 	    tlsp_eval_tls_error(state, handshake_err);
 	    /* At this point, state could be a dangling pointer. */
diff -ur --new-file /var/tmp/postfix-3.2.10/src/util/vstream_tweak.c ./src/util/vstream_tweak.c
--- /var/tmp/postfix-3.2.10/src/util/vstream_tweak.c	2014-12-25 11:47:17.000000000 -0500
+++ ./src/util/vstream_tweak.c	2019-09-08 10:36:14.000000000 -0400
@@ -124,12 +124,20 @@
      * stream buffer size to less than VSTREAM_BUFSIZE, when the request is
      * made before the first stream read or write operation. We don't want to
      * reduce the buffer size.
+     * 
+     * As of 20190820 we increase the mss size multipler from 2x to 4x, because
+     * some LINUX loopback TCP stacks report an MSS of 21845 which is 3x
+     * smaller than the MTU of 65536. Even with a VSTREAM buffer 2x the
+     * reported MSS size, performance would suck due to Nagle or delayed ACK
+     * delays.
      */
 #define EFF_BUFFER_SIZE(fp) (vstream_req_bufsize(fp) ? \
 		vstream_req_bufsize(fp) : VSTREAM_BUFSIZE)
 
 #ifdef CA_VSTREAM_CTL_BUFSIZE
-    if (mss > EFF_BUFFER_SIZE(fp) / 2) {
+    if (mss > EFF_BUFFER_SIZE(fp) / 4) {
+	if (mss < INT_MAX / 2)
+	    mss *= 2;
 	if (mss < INT_MAX / 2)
 	    mss *= 2;
 	vstream_control(fp,
diff -ur --new-file /var/tmp/postfix-3.2.10/src/xsasl/xsasl_dovecot_server.c ./src/xsasl/xsasl_dovecot_server.c
--- /var/tmp/postfix-3.2.10/src/xsasl/xsasl_dovecot_server.c	2016-01-23 19:50:54.000000000 -0500
+++ ./src/xsasl/xsasl_dovecot_server.c	2019-08-27 03:35:11.000000000 -0400
@@ -584,10 +584,20 @@
 	    if (xsasl_dovecot_parse_reply(server, &line) == 0) {
 		/* authentication successful */
 		xsasl_dovecot_parse_reply_args(server, line, reply, 1);
+		if (server->username == 0) {
+		    msg_warn("missing Dovecot server %s username field", cmd);
+		    vstring_strcpy(reply, "Authentication backend error");
+		    return XSASL_AUTH_FAIL;
+		}
 		return XSASL_AUTH_DONE;
 	    }
 	} else if (strcmp(cmd, "CONT") == 0) {
 	    if (xsasl_dovecot_parse_reply(server, &line) == 0) {
+		if (line == 0) {
+		    msg_warn("missing Dovecot server %s reply field", cmd);
+		    vstring_strcpy(reply, "Authentication backend error");
+		    return XSASL_AUTH_FAIL;
+		}
 		vstring_strcpy(reply, line);
 		return XSASL_AUTH_MORE;
 	    }