diff --git a/postfix/HISTORY b/postfix/HISTORY
index 1ef6ecf5b..512e1f356 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -23535,3 +23535,13 @@ Apologies for any names omitted.
 
 	Release: first production snapshot with multiple outbound
 	deliveries per TLS-encrypted connection.
+
+20180618
+
+	Quick tlsproxy workaround: after the remote TLS peer shuts
+	down TLS, allow unsent inbound plaintext to trickle out
+	before tearing down the proxied connection.  This addresses
+	a sporadic "lost connection after end-of-data" error in the
+	Postfix SMTP client, and addresses a sporadic "lost connection
+	after sending QUIT" error with "posttls-finger -X". File:
+	tlsproxy/tlsproxy.c.
diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES
index 591c9ab4a..daf6a00f7 100644
--- a/postfix/RELEASE_NOTES
+++ b/postfix/RELEASE_NOTES
@@ -46,7 +46,7 @@ Postfix 2.8, to support STARTTLS in postscreen(8).
 Under high-traffic conditions, the Postfix SMTP client will use the
 scache(8) connection cache to store and retrieve open connections.
 This part already existed for plaintext SMTP, and it works in the
-same way for TLS-encryped connections.
+same way for TLS-encrypted connections.
 
 The following illustrates how TLS connections are reused:
 
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index 762261a23..74fa21d88 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20180617"
+#define MAIL_RELEASE_DATE	"20180618"
 #define MAIL_VERSION_NUMBER	"3.4"
 
 #ifdef SNAPSHOT
diff --git a/postfix/src/tlsproxy/tlsproxy.c b/postfix/src/tlsproxy/tlsproxy.c
index 241e83b2a..5858ad298 100644
--- a/postfix/src/tlsproxy/tlsproxy.c
+++ b/postfix/src/tlsproxy/tlsproxy.c
@@ -474,6 +474,12 @@ static int tlsp_eval_tls_error(TLSP_STATE *state, int err)
 	tls_print_errors();
 	/* FALLTHROUGH */
     default:
+
+	/*
+	 * Allow buffered-up plaintext output to trickle out.
+	 */
+	if (state->plaintext_buf && NBBIO_WRITE_PEND(state->plaintext_buf))
+	    return (TLSP_STAT_OK);
 	tlsp_state_free(state);
 	return (TLSP_STAT_ERR);
     }
@@ -1013,7 +1019,7 @@ static void tlsp_get_request_event(int event, void *context)
 	     "(bogus_direction)", state->remote_endpt);
     state->req_flags = req_flags;
     /* state->is_server_role is set below. */
-    state->handshake_timeout = handshake_timeout + 10;	/* XXX */
+    state->handshake_timeout = handshake_timeout;
     state->session_timeout = session_timeout + 10;	/* XXX */
 
     /*