diff --git a/src/smtpd/smtpd_haproxy.c b/src/smtpd/smtpd_haproxy.c
index 599e3ed..a4c527c 100644
--- a/src/smtpd/smtpd_haproxy.c
+++ b/src/smtpd/smtpd_haproxy.c
@@ -96,6 +96,14 @@ int     smtpd_peer_from_haproxy(SMTPD_STATE *state)
     VSTRING *escape_buf;
 
     /*
+     * While reading HAProxy handshake information, don't buffer input beyond
+     * the end-of-line. That would break the TLS wrappermode handshake.
+     */
+    vstream_control(state->client,
+		    VSTREAM_CTL_BUFSIZE, 1,
+		    VSTREAM_CTL_END);
+
+    /*
      * Note: the haproxy_srvr_parse() routine performs address protocol
      * checks, address and port syntax checks, and converts IPv4-in-IPv6
      * address string syntax (:ffff::1.2.3.4) to IPv4 syntax where permitted
@@ -142,6 +150,13 @@ int     smtpd_peer_from_haproxy(SMTPD_STATE *state)
 	 * Avoid surprises in the Dovecot authentication server.
 	 */
 	state->dest_addr = mystrdup(smtp_server_addr.buf);
+
+	/*
+	 * Enable normal buffering.
+	 */
+	vstream_control(state->client,
+			VSTREAM_CTL_BUFSIZE, VSTREAM_BUFSIZE,
+			VSTREAM_CTL_END);
 	return (0);
     }
 }