diff -ru a/sendmail/deliver.c b/sendmail/deliver.c

--- a/sendmail/deliver.c	2016-02-29 06:01:55.000000000 -0800

+++ b/sendmail/deliver.c	2016-02-29 06:02:06.000000000 -0800

@@ -6274,8 +6274,7 @@

 				tlslogerr(LOG_WARNING, "client");

 		}

-		SSL_free(clt_ssl);

-		clt_ssl = NULL;

+		SM_SSL_FREE(clt_ssl);

 		return EX_SOFTWARE;

 	}

 	mci->mci_ssl = clt_ssl;

@@ -6287,8 +6286,7 @@

 		return EX_OK;

 	/* failure */

-	SSL_free(clt_ssl);

-	clt_ssl = NULL;

+	SM_SSL_FREE(clt_ssl);

 	return EX_SOFTWARE;

 }

 /*

@@ -6309,7 +6307,7 @@

 	if (!bitset(MCIF_TLSACT, mci->mci_flags))

 		return EX_OK;

-	r = endtls(mci->mci_ssl, "client");

+	r = endtls(&mci->mci_ssl, "client");

 	mci->mci_flags &= ~MCIF_TLSACT;

 	return r;

 }

diff -ru a/sendmail/macro.c b/sendmail/macro.c

--- a/sendmail/macro.c	2016-02-29 06:01:55.000000000 -0800

+++ b/sendmail/macro.c	2016-02-29 06:02:06.000000000 -0800

@@ -362,6 +362,33 @@

 }

 /*

+**  MACTABCLEAR -- clear entire macro table

+**

+**	Parameters:

+**		mac -- Macro table.

+**

+**	Returns:

+**		none.

+**

+**	Side Effects:

+**		clears entire mac structure including rpool pointer!

+*/

+

+void

+mactabclear(mac)

+	MACROS_T *mac;

+{

+	int i;

+

+	if (mac->mac_rpool == NULL)

+	{

+		for (i = 0; i < MAXMACROID; i++)

+	    		SM_FREE_CLR(mac->mac_table[i]);

+	}

+	memset((char *) mac, '\0', sizeof(*mac));

+}

+

+/*

 **  MACDEFINE -- bind a macro name to a value

 **

 **	Set a macro to a value, with fancy storage management.

diff -ru a/sendmail/mci.c b/sendmail/mci.c

--- a/sendmail/mci.c	2016-02-29 06:01:55.000000000 -0800

+++ b/sendmail/mci.c	2016-02-29 06:02:06.000000000 -0800

@@ -25,6 +25,7 @@

 						  int, bool));

 static bool	mci_load_persistent __P((MCI *));

 static void	mci_uncache __P((MCI **, bool));

+static void	mci_clear __P((MCI *));

 static int	mci_lock_host_statfile __P((MCI *));

 static int	mci_read_persistent __P((SM_FILE_T *, MCI *));

@@ -253,6 +254,7 @@

 	SM_FREE_CLR(mci->mci_status);

 	SM_FREE_CLR(mci->mci_rstatus);

 	SM_FREE_CLR(mci->mci_heloname);

+ 	mci_clear(mci);

 	if (mci->mci_rpool != NULL)

 	{

 		sm_rpool_free(mci->mci_rpool);

@@ -315,6 +317,41 @@

 }

 /*

+**  MCI_CLEAR -- clear mci

+**

+**	Parameters:

+**		mci -- the connection to clear.

+**

+**	Returns:

+**		none.

+*/

+

+static void

+mci_clear(mci)

+	MCI *mci;

+{

+	if (mci == NULL)

+		return;

+

+	mci->mci_maxsize = 0;

+	mci->mci_min_by = 0;

+	mci->mci_deliveries = 0;

+#if SASL

+	if (bitset(MCIF_AUTHACT, mci->mci_flags))

+		sasl_dispose(&mci->mci_conn);

+#endif

+#if STARTTLS

+	if (bitset(MCIF_TLSACT, mci->mci_flags) && mci->mci_ssl != NULL)

+		SM_SSL_FREE(mci->mci_ssl);

+#endif

+

+	/* which flags to preserve? */

+	mci->mci_flags &= MCIF_CACHED;

+	mactabclear(&mci->mci_macro);

+}

+

+

+/*

 **  MCI_GET -- get information about a particular host

 **

 **	Parameters:

@@ -419,6 +456,7 @@

 			mci->mci_errno = 0;

 			mci->mci_exitstat = EX_OK;

 		}

+	 	mci_clear(mci);

 	}

 	return mci;

diff -ru a/sendmail/sendmail.h b/sendmail/sendmail.h

--- a/sendmail/sendmail.h	2016-02-29 06:01:55.000000000 -0800

+++ b/sendmail/sendmail.h	2016-02-29 06:02:06.000000000 -0800

@@ -1186,6 +1186,7 @@

 #define macid(name)  macid_parse(name, NULL)

 extern char	*macname __P((int));

 extern char	*macvalue __P((int, ENVELOPE *));

+extern void	mactabclear __P((MACROS_T *));

 extern int	rscheck __P((char *, char *, char *, ENVELOPE *, int, int, char *, char *, ADDRESS *, char **));

 extern int	rscap __P((char *, char *, char *, ENVELOPE *, char ***, char *, int));

 extern void	setclass __P((int, char *));

@@ -2002,7 +2003,15 @@

 extern void	setclttls __P((bool));

 extern bool	initsrvtls __P((bool));

 extern int	tls_get_info __P((SSL *, bool, char *, MACROS_T *, bool));

-extern int	endtls __P((SSL *, char *));

+#define SM_SSL_FREE(ssl)			\

+	do {					\

+		if (ssl != NULL)		\

+		{				\

+			SSL_free(ssl);		\

+			ssl = NULL;		\

+		}				\

+	} while (0)

+extern int	endtls __P((SSL **, char *));

 extern void	tlslogerr __P((int, const char *));

diff -ru a/sendmail/srvrsmtp.c b/sendmail/srvrsmtp.c

--- a/sendmail/srvrsmtp.c	2016-02-29 06:01:55.000000000 -0800

+++ b/sendmail/srvrsmtp.c	2016-02-29 06:02:06.000000000 -0800

@@ -2122,8 +2122,7 @@

 			if (get_tls_se_options(e, srv_ssl, true) != 0)

 			{

 				message("454 4.3.3 TLS not available: error setting options");

-				SSL_free(srv_ssl);

-				srv_ssl = NULL;

+				SM_SSL_FREE(srv_ssl);

 				goto tls_done;

 			}

@@ -2145,8 +2144,7 @@

 			    SSL_set_wfd(srv_ssl, wfd) <= 0)

 			{

 				message("454 4.3.3 TLS not available: error set fd");

-				SSL_free(srv_ssl);

-				srv_ssl = NULL;

+				SM_SSL_FREE(srv_ssl);

 				goto tls_done;

 			}

 			if (!smtps)

@@ -2188,8 +2186,7 @@

 						tlslogerr(LOG_WARNING, "server");

 				}

 				tls_ok_srv = false;

-				SSL_free(srv_ssl);

-				srv_ssl = NULL;

+				SM_SSL_FREE(srv_ssl);

 				/*

 				**  according to the next draft of

@@ -3416,7 +3413,7 @@

 			/* shutdown TLS connection */

 			if (tls_active)

 			{

-				(void) endtls(srv_ssl, "server");

+				(void) endtls(&srv_ssl, "server");

 				tls_active = false;

 			}

 #endif /* STARTTLS */

diff -ru a/sendmail/tls.c b/sendmail/tls.c

--- a/sendmail/tls.c	2016-02-29 06:01:55.000000000 -0800

+++ b/sendmail/tls.c	2016-02-29 06:02:06.000000000 -0800

@@ -1624,7 +1624,7 @@

 **  ENDTLS -- shutdown secure connection

 **

 **	Parameters:

-**		ssl -- SSL connection information.

+**		pssl -- pointer to TLS session context

 **		side -- server/client (for logging).

 **

 **	Returns:

@@ -1632,12 +1632,16 @@

 */

 int

-endtls(ssl, side)

-	SSL *ssl;

+endtls(pssl, side)

+	SSL **pssl;

 	char *side;

 {

 	int ret = EX_OK;

+	SSL *ssl;

+	SM_REQUIRE(pssl != NULL);

+ 	ret = EX_OK;

+	ssl = *pssl;

 	if (ssl != NULL)

 	{

 		int r;

@@ -1703,8 +1707,7 @@

 			ret = EX_SOFTWARE;

 		}

 # endif /* !defined(OPENSSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER > 0x0090602fL */

-		SSL_free(ssl);

-		ssl = NULL;

+		SM_SSL_FREE(*pssl);

 	}

 	return ret;

 }