Prereq: "3.4.14"
diff -ur --new-file /var/tmp/postfix-3.4.14/src/global/mail_version.h ./src/global/mail_version.h
--- /var/tmp/postfix-3.4.14/src/global/mail_version.h	2020-06-27 17:26:28.000000000 -0400
+++ ./src/global/mail_version.h	2020-07-24 19:52:33.000000000 -0400
@@ -20,8 +20,8 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20200627"
-#define MAIL_VERSION_NUMBER	"3.4.14"
+#define MAIL_RELEASE_DATE	"20200724"
+#define MAIL_VERSION_NUMBER	"3.4.15"
 
 #ifdef SNAPSHOT
 #define MAIL_VERSION_DATE	"-" MAIL_RELEASE_DATE
diff -ur --new-file /var/tmp/postfix-3.4.14/HISTORY ./HISTORY
--- /var/tmp/postfix-3.4.14/HISTORY	2020-06-27 17:15:17.000000000 -0400
+++ ./HISTORY	2020-07-24 19:58:32.000000000 -0400
@@ -24466,3 +24466,21 @@
 	for the expanded CNAME. Therefore, sending the correct SNI
 	name should not break existing mail flows. Fixed by Viktor
 	Dukhovni. File: src/tls/tls_client.c.
+
+20200710
+
+	Bugfix (introduced: Postfix 3.0): minor memory leaks in the
+	Postfix TLS library, found during tests. File: tls/tls_misc.c.
+
+20200712
+
+	Bugfix (introduced: Postfix 3.0): 4kbyte per session memory
+	leak in the Postfix TLS library, found during tests. File:
+	tls/tls_misc.c.
+
+20200724
+
+	Workaround for distros that override Postfix protocol
+	settings in a system-wide OpenSSL configuration file, causing
+	interoperability problems after an OS update. File:
+	tls/tls_client.c, tls/tls_server.c.
diff -ur --new-file /var/tmp/postfix-3.4.14/src/tls/tls_client.c ./src/tls/tls_client.c
--- /var/tmp/postfix-3.4.14/src/tls/tls_client.c	2020-06-27 17:43:46.000000000 -0400
+++ ./src/tls/tls_client.c	2020-07-24 19:47:04.000000000 -0400
@@ -409,6 +409,11 @@
     off |= tls_bug_bits();
     SSL_CTX_set_options(client_ctx, off);
 
+    /* Enable all supported protocols */
+#if OPENSSL_VERSION_NUMBER >= 0x1010000fUL
+    SSL_CTX_set_min_proto_version(client_ctx, 0);
+#endif
+
     /*
      * Set the call-back routine for verbose logging.
      */
diff -ur --new-file /var/tmp/postfix-3.4.14/src/tls/tls_misc.c ./src/tls/tls_misc.c
--- /var/tmp/postfix-3.4.14/src/tls/tls_misc.c	2020-06-10 17:16:49.000000000 -0400
+++ ./src/tls/tls_misc.c	2020-07-12 16:42:27.000000000 -0400
@@ -923,6 +923,8 @@
 	 */
 	if (SSL_get_signature_nid(ssl, &nid) && nid != NID_undef)
 	    locl_sig_dgst = OBJ_nid2sn(nid);
+
+	X509_free(cert);
     }
     /* Signature algorithms for the peer end of the connection */
     if ((cert = SSL_get_peer_certificate(ssl)) != 0) {
@@ -1159,6 +1161,22 @@
 	myfree(TLScontext->peer_cert_fprint);
     if (TLScontext->peer_pkey_fprint)
 	myfree(TLScontext->peer_pkey_fprint);
+    if (TLScontext->kex_name)
+	myfree((void *) TLScontext->kex_name);
+    if (TLScontext->kex_curve)
+	myfree((void *) TLScontext->kex_curve);
+    if (TLScontext->clnt_sig_name)
+	myfree((void *) TLScontext->clnt_sig_name);
+    if (TLScontext->clnt_sig_curve)
+	myfree((void *) TLScontext->clnt_sig_curve);
+    if (TLScontext->clnt_sig_dgst)
+	myfree((void *) TLScontext->clnt_sig_dgst);
+    if (TLScontext->srvr_sig_name)
+	myfree((void *) TLScontext->srvr_sig_name);
+    if (TLScontext->srvr_sig_curve)
+	myfree((void *) TLScontext->srvr_sig_curve);
+    if (TLScontext->srvr_sig_dgst)
+	myfree((void *) TLScontext->srvr_sig_dgst);
     if (TLScontext->errorcert)
 	X509_free(TLScontext->errorcert);
     if (TLScontext->untrusted)
diff -ur --new-file /var/tmp/postfix-3.4.14/src/tls/tls_server.c ./src/tls/tls_server.c
--- /var/tmp/postfix-3.4.14/src/tls/tls_server.c	2019-02-18 18:03:54.000000000 -0500
+++ ./src/tls/tls_server.c	2020-07-24 19:47:04.000000000 -0400
@@ -527,6 +527,11 @@
 
     SSL_CTX_set_options(server_ctx, off);
 
+    /* Enable all supported protocols */
+#if OPENSSL_VERSION_NUMBER >= 0x1010000fUL
+    SSL_CTX_set_min_proto_version(server_ctx, 0);
+#endif
+
     /*
      * Global protocol selection.
      */