diff --git a/postfix/HISTORY b/postfix/HISTORY
index 856b2db51..0e0d69c70 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -24760,3 +24760,25 @@ Apologies for any names omitted.
 	Bitrot: avoid U_FILE_ACCESS_ERROR after chroot(), by
 	initializing the ICU library before making the chroot()
 	call. Files: util/midna_domain.[hc], global/mail_params.c.
+
+20200511
+
+	Noise suppression: spurious "SSL_Shutdown:shutdown while
+	in init" warnings. File: tls/tls_session.c.
+
+	Debugging: with a single -v, the cleanup server now also
+	logs output envelope records, so that one -v option shows
+	the input and output. File: cleanup_out.c.
+
+20200515
+
+	Bugfix (introduced: Postfix 2.2): TLS error status info
+	from a PostgreSQL client caused a false 'lost connection'
+	error for an SMTP-over-TLS session in the same Postfix
+	process. Reported by Alexander Vasarab, diagnosed by Viktor
+	Dukhovni. File: tls/tls_bio_ops.c.
+
+	Bugfix (introduced: Postfix 2.8): TLS error status info
+	from one TLS session may cause a false 'lost connection'
+	error for concurrent TLS sessions in the same tlsproxy
+	process. File: tlsproxy/tlsproxy.c.
diff --git a/postfix/src/cleanup/cleanup_out.c b/postfix/src/cleanup/cleanup_out.c
index 8905fad37..3ccebec90 100644
--- a/postfix/src/cleanup/cleanup_out.c
+++ b/postfix/src/cleanup/cleanup_out.c
@@ -118,6 +118,9 @@ void    cleanup_out(CLEANUP_STATE *state, int type, const char *string, ssize_t
 
 #define TEXT_RECORD(t)	((t) == REC_TYPE_NORM || (t) == REC_TYPE_CONT)
 
+    if (msg_verbose && !TEXT_RECORD(type))
+	msg_info("cleanup_out: %c %.*s", type, (int) len, string);
+
     if (var_line_limit <= 0)
 	msg_panic("cleanup_out: bad line length limit: %d", var_line_limit);
     do {
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index 2edd10252..e08b3a7a0 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20200511"
+#define MAIL_RELEASE_DATE	"20200515"
 #define MAIL_VERSION_NUMBER	"3.6"
 
 #ifdef SNAPSHOT
diff --git a/postfix/src/tls/tls_bio_ops.c b/postfix/src/tls/tls_bio_ops.c
index 1f4ec41f1..9b6619547 100644
--- a/postfix/src/tls/tls_bio_ops.c
+++ b/postfix/src/tls/tls_bio_ops.c
@@ -194,6 +194,13 @@ int     tls_bio(int fd, int timeout, TLS_SESS_STATE *TLScontext,
      * handling any pending network I/O.
      */
     for (;;) {
+
+	/*
+	 * Flush the per-thread SSL error queue. Otherwise, errors from other
+	 * code that also uses TLS may confuse SSL_get_error(3).
+	 */
+	ERR_clear_error();
+
 	if (hsfunc)
 	    status = hsfunc(TLScontext->con);
 	else if (rfunc)
diff --git a/postfix/src/tls/tls_session.c b/postfix/src/tls/tls_session.c
index 3f6027fc4..a4b7a8f25 100644
--- a/postfix/src/tls/tls_session.c
+++ b/postfix/src/tls/tls_session.c
@@ -118,7 +118,7 @@ void    tls_session_stop(TLS_APPL_STATE *unused_ctx, VSTREAM *stream, int timeou
      * so we will not perform SSL_shutdown() and the session will be removed
      * as being bad.
      */
-    if (!failure) {
+    if (!failure && !SSL_in_init(TLScontext->con)) {
 	retval = tls_bio_shutdown(vstream_fileno(stream), timeout, TLScontext);
 	if (!var_tls_fast_shutdown && retval == 0)
 	    tls_bio_shutdown(vstream_fileno(stream), timeout, TLScontext);
diff --git a/postfix/src/tlsproxy/tlsproxy.c b/postfix/src/tlsproxy/tlsproxy.c
index 587b2f61a..70ea8042e 100644
--- a/postfix/src/tlsproxy/tlsproxy.c
+++ b/postfix/src/tlsproxy/tlsproxy.c
@@ -781,6 +781,7 @@ static void tlsp_strategy(TLSP_STATE *state)
 	 */
 	if (state->flags & TLSP_FLAG_DO_HANDSHAKE) {
 	    state->timeout = state->handshake_timeout;
+	    ERR_clear_error();
 	    if (state->is_server_role)
 		ssl_stat = SSL_accept(tls_context->con);
 	    else
@@ -809,6 +810,7 @@ static void tlsp_strategy(TLSP_STATE *state)
 	if (NBBIO_ERROR_FLAGS(plaintext_buf)) {
 	    if (NBBIO_ACTIVE_FLAGS(plaintext_buf))
 		nbbio_disable_readwrite(state->plaintext_buf);
+	    ERR_clear_error();
 	    if (!SSL_in_init(tls_context->con)
 		&& (ssl_stat = SSL_shutdown(tls_context->con)) < 0) {
 		handshake_err = SSL_get_error(tls_context->con, ssl_stat);
@@ -838,6 +840,7 @@ static void tlsp_strategy(TLSP_STATE *state)
 	 */
 	ssl_write_err = SSL_ERROR_NONE;
 	while (NBBIO_READ_PEND(plaintext_buf) > 0) {
+	    ERR_clear_error();
 	    ssl_stat = SSL_write(tls_context->con, NBBIO_READ_BUF(plaintext_buf),
 				 NBBIO_READ_PEND(plaintext_buf));
 	    ssl_write_err = SSL_get_error(tls_context->con, ssl_stat);
@@ -870,6 +873,7 @@ static void tlsp_strategy(TLSP_STATE *state)
 	 */
 	ssl_read_err = SSL_ERROR_NONE;
 	while (NBBIO_WRITE_PEND(state->plaintext_buf) < NBBIO_BUFSIZE(plaintext_buf)) {
+	    ERR_clear_error();
 	    ssl_stat = SSL_read(tls_context->con,
 				NBBIO_WRITE_BUF(plaintext_buf)
 				+ NBBIO_WRITE_PEND(state->plaintext_buf),