Prereq: "3.4.0"
diff -ur --new-file /var/tmp/postfix-3.4.0/src/global/mail_version.h ./src/global/mail_version.h
--- /var/tmp/postfix-3.4.0/src/global/mail_version.h	2019-02-27 19:26:16.000000000 -0500
+++ ./src/global/mail_version.h	2019-03-07 19:08:42.000000000 -0500
@@ -20,8 +20,8 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20190227"
-#define MAIL_VERSION_NUMBER	"3.4.0"
+#define MAIL_RELEASE_DATE	"20190307"
+#define MAIL_VERSION_NUMBER	"3.4.1"
 
 #ifdef SNAPSHOT
 #define MAIL_VERSION_DATE	"-" MAIL_RELEASE_DATE
diff -ur --new-file /var/tmp/postfix-3.4.0/HISTORY ./HISTORY
--- /var/tmp/postfix-3.4.0/HISTORY	2019-02-19 17:55:30.000000000 -0500
+++ ./HISTORY	2019-03-07 19:08:17.000000000 -0500
@@ -24162,3 +24162,10 @@
 	tested in tlsproxy mode. It needed some setup for buffering
 	and timeouts. Problem report by Andreas Schulze. File:
 	smtp/smtp_proto.c.
+
+20190304
+
+	Bugfix: a reversed test broke TLS configurations that specify
+	the same filename for a private key and certificate. Reported
+	by Mike Kazantsev. Fix by Viktor Dukhovni. Wietse fixed the
+	test. Files: tls/tls_certkey.c, tls/Makefile.in.
diff -ur --new-file /var/tmp/postfix-3.4.0/src/tls/Makefile.in ./src/tls/Makefile.in
--- /var/tmp/postfix-3.4.0/src/tls/Makefile.in	2019-02-09 20:08:32.000000000 -0500
+++ ./src/tls/Makefile.in	2019-03-07 19:04:25.000000000 -0500
@@ -58,6 +58,16 @@
 	    $(SHLIB_ENV) $(VALGRIND) ./tls_certkey -m $$pem > $$pem.out 2>&1 || exit 1; \
 	    diff $$pem.ref $$pem.out || exit 1; \
 	    echo "  $$pem: OK"; \
+	    $(SHLIB_ENV) $(VALGRIND) ./tls_certkey -k $$pem $$pem > $$pem.out 2>&1 || exit 1; \
+	    diff $$pem.ref $$pem.out || exit 1; \
+	    echo "  $$pem (with key in $$pem): OK"; \
+	    case $$pem in good-*) \
+		ln -sf $$pem tmpkey.pem; \
+		$(SHLIB_ENV) $(VALGRIND) ./tls_certkey -k tmpkey.pem $$pem > $$pem.out 2>&1 || exit 1; \
+		diff $$pem.ref $$pem.out || exit 1; \
+		echo "  $$pem (with key in tmpkey.pem): OK"; \
+		rm -f tmpkey.pem;; \
+	    esac; \
 	done; \
 	for pem in bad-*.pem; do \
 	    $(SHLIB_ENV) $(VALGRIND) ./tls_certkey $$pem > $$pem.out 2>&1 && exit 1 || : ok; \
diff -ur --new-file /var/tmp/postfix-3.4.0/src/tls/tls_certkey.c ./src/tls/tls_certkey.c
--- /var/tmp/postfix-3.4.0/src/tls/tls_certkey.c	2019-01-27 16:49:18.000000000 -0500
+++ ./src/tls/tls_certkey.c	2019-03-07 18:57:10.000000000 -0500
@@ -589,7 +589,7 @@
      * single pass, avoiding potential race conditions during key rollover.
      */
     if (strcmp(cert_file, key_file) == 0)
-	return (load_mixed_file(ctx, cert_file));
+	return (load_mixed_file(ctx, cert_file) == 0);
 
     /*
      * We need both the private key (in key_file) and the public key
@@ -690,6 +690,7 @@
     int     ch;
     int     mixed = 0;
     int     ret;
+    char   *key_file = 0;
     SSL_CTX *ctx;
 
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
@@ -707,8 +708,11 @@
 	tls_print_errors();
 	exit(1);
     }
-    while ((ch = GETOPT(argc, argv, "m")) > 0) {
+    while ((ch = GETOPT(argc, argv, "mk:")) > 0) {
 	switch (ch) {
+	case 'k':
+	    key_file = optarg;
+	    break;
 	case 'm':
 	    mixed = 1;
 	    break;
@@ -722,7 +726,9 @@
     if (argc < 1)
 	usage();
 
-    if (mixed)
+    if (key_file)
+	ret = set_cert_stuff(ctx, "any", argv[0], key_file) == 0;
+    else if (mixed)
 	ret = load_mixed_file(ctx, argv[0]);
     else
 	ret = load_chain_files(ctx, argv[0]);