diff -ruN ../old/netqmail-1.06/README.tls netqmail-1.06/README.tls
--- ../old/netqmail-1.06/README.tls	2019-04-09 20:42:08.230641152 +0200
+++ netqmail-1.06/README.tls	2020-01-10 21:46:22.909448586 +0100
@@ -1,4 +1,4 @@
-Frederik Vermeulen <qmail-tls akrul inoa.net> 20190408
+Frederik Vermeulen <qmail-tls akrul inoa.net> 20200107
 http://inoa.net/qmail-tls/
 
 This patch implements RFC 3207 in qmail. 
@@ -9,7 +9,7 @@
 
 Usage: - install OpenSSL-1.1.0 http://www.openssl.org/ or later
          (any version since 0.9.8 is presumed to work)
-       - apply patch to netqmail-1.06 http://qmail.org/netqmail
+       - apply patch to netqmail-1.06 http://www.usenix.org.uk/mirrors/qmail/netqmail
          The patches to qmail-remote.c and qmail-smtpd.c can be applied 
          separately.
        - provide a server certificate in /var/qmail/control/servercert.pem.
diff -ruN ../old/netqmail-1.06/conf-cc netqmail-1.06/conf-cc
--- ../old/netqmail-1.06/conf-cc	2019-05-24 14:26:25.300939812 +0200
+++ netqmail-1.06/conf-cc	2020-01-10 21:52:13.080721081 +0100
@@ -1,3 +1,3 @@
-cc -O2 -g -DEXTERNAL_TODO -DTLS=20190517 -I/usr/local/ssl/include -I/home/vpopmail/include
+cc -O2 -g -DEXTERNAL_TODO -DTLS=20200107 -I/usr/local/ssl/include -I/home/vpopmail/include
 
 This will be used to compile .c files.
diff -ruN ../old/netqmail-1.06/qmail-remote.c netqmail-1.06/qmail-remote.c
--- ../old/netqmail-1.06/qmail-remote.c	2019-04-07 14:55:37.451093660 +0200
+++ netqmail-1.06/qmail-remote.c	2020-01-10 21:48:44.435939624 +0100
@@ -455,6 +455,10 @@
     SSL_CTX_use_RSAPrivateKey_file(ctx, CLIENTCERT, SSL_FILETYPE_PEM);
 # undef CLIENTCERT
 
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L
+  SSL_CTX_set_post_handshake_auth(ctx, 1);
+#endif
+
   myssl = SSL_new(ctx);
   SSL_CTX_free(ctx);
   if (!myssl) {
diff -ruN ../old/netqmail-1.06/ssl_timeoutio.c netqmail-1.06/ssl_timeoutio.c
--- ../old/netqmail-1.06/ssl_timeoutio.c	2019-04-09 21:12:06.445883062 +0200
+++ netqmail-1.06/ssl_timeoutio.c	2020-01-10 21:51:32.057157279 +0100
@@ -73,7 +73,16 @@
 {
   int r=0;
 
-  SSL_renegotiate(ssl);
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L
+  if (SSL_version(ssl) >= TLS1_3_VERSION){
+    if(SSL_verify_client_post_handshake(ssl) != 1)
+      return -EPROTO;
+  } else
+#endif
+  {
+    r =  SSL_renegotiate(ssl);
+    if (r<=0) return r;
+  }
 
 #if OPENSSL_VERSION_NUMBER >= 0x10001000L
   char buf[1]; /* dummy read buffer */
@@ -81,6 +90,9 @@
   fd_set fds;
   r = ssl_timeoutio(SSL_do_handshake, t, rfd, wfd, ssl, NULL, 0);
   if (r <=0) return r;
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L
+  if (SSL_version(ssl) >= TLS1_3_VERSION) return r;
+#endif
 
   tv.tv_sec = (time_t)t; tv.tv_usec = 0;
   FD_ZERO(&fds);  FD_SET(rfd, &fds);