Prereq: "3.2.18"
diff -ur --new-file /var/tmp/postfix-3.2.18/src/global/mail_version.h ./src/global/mail_version.h
--- /var/tmp/postfix-3.2.18/src/global/mail_version.h	2020-07-24 19:51:37.000000000 -0400
+++ ./src/global/mail_version.h	2020-07-26 14:11:20.000000000 -0400
@@ -20,8 +20,8 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20200724"
-#define MAIL_VERSION_NUMBER	"3.2.18"
+#define MAIL_RELEASE_DATE	"20200726"
+#define MAIL_VERSION_NUMBER	"3.2.19"
 
 #ifdef SNAPSHOT
 #define MAIL_VERSION_DATE	"-" MAIL_RELEASE_DATE
diff -ur --new-file /var/tmp/postfix-3.2.18/HISTORY ./HISTORY
--- /var/tmp/postfix-3.2.18/HISTORY	2020-07-24 19:58:07.000000000 -0400
+++ ./HISTORY	2020-07-26 14:33:48.000000000 -0400
@@ -23361,3 +23361,8 @@
 	settings in a system-wide OpenSSL configuration file, causing
 	interoperability problems after an OS update. File:
 	tls/tls_client.c, tls/tls_server.c.
+
+20200726
+
+	Bugfix (introduced: Postfix 3.3.13): part of a memory leak
+	fix was backported to the wrong place. File: tls/tls_misc.c.
diff -ur --new-file /var/tmp/postfix-3.2.18/src/tls/tls_misc.c ./src/tls/tls_misc.c
--- /var/tmp/postfix-3.2.18/src/tls/tls_misc.c	2020-07-12 16:45:42.000000000 -0400
+++ ./src/tls/tls_misc.c	2020-07-26 13:23:25.000000000 -0400
@@ -961,8 +961,6 @@
 	 */
 	if (SSL_get_signature_nid(ssl, &nid) && nid != NID_undef)
 	    locl_sig_dgst = OBJ_nid2sn(nid);
-
-	X509_free(cert);
     }
     /* Signature algorithms for the peer end of the connection */
     if ((cert = SSL_get_peer_certificate(ssl)) != 0) {
@@ -1004,6 +1002,8 @@
 	 */
 	if (SSL_get_peer_signature_nid(ssl, &nid) && nid != NID_undef)
 	    peer_sig_dgst = OBJ_nid2sn(nid);
+
+	X509_free(cert);
     }
     if (kex_name) {
 	TLScontext->kex_name = mystrdup(kex_name);