diff --git a/postfix/HISTORY b/postfix/HISTORY
index 23e8bebd5..f41ef305f 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -24666,10 +24666,8 @@ Apologies for any names omitted.
 	but "smtpd_tls_ask_clientcert = no".  Files: proto/postconf.proto,
 	smtpd/smtpd_check.c.
 
-20200315
+20200316
 
-	Bugfix (introduced: 20190517 development release): in
-	check_ccert_access, the issuer_cn and subject_cn matches
-	now require that the client certificate is signed by a CA
-	that the Postfix SMTP server trusts. Files: smtpd/smtpd_check.c,
+	Removed the issuer_cn and subject_cn matches from
+	check_ccert_access. Files: smtpd/smtpd_check.c,
 	proto/postconf.proto.
diff --git a/postfix/RELEASE_NOTES-3.5 b/postfix/RELEASE_NOTES-3.5
index 4fa6a616b..d3c41b83b 100644
--- a/postfix/RELEASE_NOTES-3.5
+++ b/postfix/RELEASE_NOTES-3.5
@@ -72,10 +72,7 @@ exact same result:
                 search_order = cert_fingerprint, pubkey_fingerprint } }
         ...
 
-The check_ccert_access search order also supports the subject_cn and
-issuer_cn client certificate properties, when the client certificate
-is signed by a CA that the Postfix SMTP server trusts. Support is
-planned for rfc822name and smtputf8mailbox.
+Support is planned for other certificate features.
 
 Major changes - dovecot usability
 ---------------------------------
diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html
index 3a8dc8e78..5930016ae 100644
--- a/postfix/html/postconf.5.html
+++ b/postfix/html/postconf.5.html
@@ -14252,10 +14252,7 @@ above corresponds with: </dd>
 <dd> <a href="postconf.5.html#check_ccert_access">check_ccert_access</a> { <a href="DATABASE_README.html">type:table</a>, { search_order = cert_fingerprint,
 pubkey_fingerprint } } </dd>
 
-<dd> The commas are optional. Other valid search_order elements are
-"subject_cn" (the certificate subject CN) and "issuer_cn" (the
-certificate issuer CN). These require that the client certificate
-is signed by a CA that the Postfix SMTP server trusts. </dd>
+<dd> The commas are optional. </dd>
 
 <dt><b><a name="check_client_access">check_client_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
 
diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5
index 3f6e3b4a2..d1e3147b5 100644
--- a/postfix/man/man5/postconf.5
+++ b/postfix/man/man5/postconf.5
@@ -9535,10 +9535,7 @@ above corresponds with:
 check_ccert_access { type:table, { search_order = cert_fingerprint,
 pubkey_fingerprint } }
 .br
-The commas are optional. Other valid search_order elements are
-"subject_cn" (the certificate subject CN) and "issuer_cn" (the
-certificate issuer CN). These require that the client certificate
-is signed by a CA that the Postfix SMTP server trusts.
+The commas are optional.
 .br
 .IP "\fBcheck_client_access \fItype:table\fR\fR"
 Search the specified access database for the client hostname,
diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto
index d9702a473..ca384963b 100644
--- a/postfix/proto/postconf.proto
+++ b/postfix/proto/postconf.proto
@@ -5123,10 +5123,7 @@ above corresponds with: </dd>
 <dd> check_ccert_access { type:table, { search_order = cert_fingerprint,
 pubkey_fingerprint } } </dd>
 
-<dd> The commas are optional. Other valid search_order elements are
-"subject_cn" (the certificate subject CN) and "issuer_cn" (the
-certificate issuer CN). These require that the client certificate
-is signed by a CA that the Postfix SMTP server trusts. </dd>
+<dd> The commas are optional. </dd>
 
 <dt><b><a name="check_client_access">check_client_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
 
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index 52bf63af8..86d23e701 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20200315"
+#define MAIL_RELEASE_DATE	"20200316"
 #define MAIL_VERSION_NUMBER	"3.6"
 
 #ifdef SNAPSHOT
diff --git a/postfix/src/smtpd/smtpd_check.c b/postfix/src/smtpd/smtpd_check.c
index c76669b08..35c713158 100644
--- a/postfix/src/smtpd/smtpd_check.c
+++ b/postfix/src/smtpd/smtpd_check.c
@@ -3186,24 +3186,14 @@ static int check_ccert_access(SMTPD_STATE *state, const char *acl_spec,
 	const char *action;
 	const char *match_this;
 	const char *known_action;
-	int     need_trusted_cert;
 
 	for (action = search_order; *action; action++) {
-	    need_trusted_cert = 1;
 	    switch (*action) {
 	    case SMTPD_ACL_SEARCH_CODE_CERT_FPRINT:
 		match_this = state->tls_context->peer_cert_fprint;
-		need_trusted_cert = 0;
 		break;
 	    case SMTPD_ACL_SEARCH_CODE_PKEY_FPRINT:
 		match_this = state->tls_context->peer_pkey_fprint;
-		need_trusted_cert = 0;
-		break;
-	    case SMTPD_ACL_SEARCH_CODE_CERT_ISSUER_CN:
-		match_this = state->tls_context->issuer_CN;
-		break;
-	    case SMTPD_ACL_SEARCH_CODE_CERT_SUBJECT_CN:
-		match_this = state->tls_context->peer_CN;
 		break;
 	    default:
 		known_action = str_name_code(search_actions, *action);
@@ -3216,13 +3206,6 @@ static int check_ccert_access(SMTPD_STATE *state, const char *acl_spec,
 					   451, "4.3.5",
 					   "Server configuration error"));
 	    }
-	    if (need_trusted_cert && !TLS_CERT_IS_TRUSTED(state->tls_context)) {
-		if (msg_verbose)
-		    msg_info("%s: skipping %s %s: untrusted client certificate",
-			     myname, str_name_code(search_actions, *action),
-			     match_this);
-		return SMTPD_CHECK_DUNNO;
-	    }
 	    if (msg_verbose)
 		msg_info("%s: look up %s %s",
 			 myname, str_name_code(search_actions, *action),