diff --git a/SOURCES/sendmail-8.15.2-tlsfallback.patch b/SOURCES/sendmail-8.15.2-tlsfallback.patch
new file mode 100644
index 0000000..ff67d73
--- /dev/null
+++ b/SOURCES/sendmail-8.15.2-tlsfallback.patch
@@ -0,0 +1,204 @@
+commit 72c678024d5f7b97bae8c20cc3fb2e0299778d5b
+Author: Tomas Korbar <tkorbar@redhat.com>
+Date:   Mon Sep 7 12:41:05 2020 +0200
+
+    Backport confTLS_FALLBACK_TO_CLEAR Configuration option
+
+diff --git a/cf/README b/cf/README
+index 91e69a9..e8941ad 100644
+--- a/cf/README
++++ b/cf/README
+@@ -4011,6 +4011,10 @@ confUSERDB_SPEC		UserDatabaseSpec
+ confFALLBACK_MX		FallbackMXhost	[undefined] Fallback MX host.
+ confFALLBACK_SMARTHOST	FallbackSmartHost
+ 					[undefined] Fallback smart host.
++confTLS_FALLBACK_TO_CLEAR	TLSFallbacktoClear
++					[undefined] If set, immediately try
++					a connection again without STARTTLS
++					after a TLS handshake failure.
+ confTRY_NULL_MX_LIST	TryNullMXList	[False] If this host is the best MX
+ 					for a host and other arrangements
+ 					haven't been made, try connecting
+diff --git a/cf/m4/proto.m4 b/cf/m4/proto.m4
+index 0df3416..a741d97 100644
+--- a/cf/m4/proto.m4
++++ b/cf/m4/proto.m4
+@@ -656,6 +656,8 @@ _OPTION(CipherList, `confCIPHER_LIST', `')
+ _OPTION(ServerSSLOptions, `confSERVER_SSL_OPTIONS', `')
+ # client side SSL options
+ _OPTION(ClientSSLOptions, `confCLIENT_SSL_OPTIONS', `')
++# TLS: fall back to clear text after handshake failure?
++_OPTION(TLSFallbacktoClear, `confTLS_FALLBACK_TO_CLEAR', `')
+ 
+ # Input mail filters
+ _OPTION(InputMailFilters, `confINPUT_MAIL_FILTERS', `')
+@@ -2856,6 +2858,7 @@ R<$-:$+><VERIFY $*> <$*> FAIL	$#error $@ $2 $: $1 " authentication failed"
+ R<$-:$+><VERIFY $*> <$*> NO	$#error $@ $2 $: $1 " not authenticated"
+ R<$-:$+><VERIFY $*> <$*> NOT	$#error $@ $2 $: $1 " no authentication requested"
+ R<$-:$+><VERIFY $*> <$*> NONE	$#error $@ $2 $: $1 " other side does not support STARTTLS"
++R<$-:$+><VERIFY $*> <$*> CLEAR	$#error $@ $2 $: $1 " STARTTLS disabled locally"
+ dnl some other value for ${verify}
+ R<$-:$+><VERIFY $*> <$*> $+	$#error $@ $2 $: $1 " authentication failure " $4
+ dnl some level of encryption required: get the maximum level (case 2.)
+diff --git a/doc/op/op.me b/doc/op/op.me
+index 57e25cd..97d3b9c 100644
+--- a/doc/op/op.me
++++ b/doc/op/op.me
+@@ -8340,6 +8340,22 @@ PostMilter is useful only when
+ .i sendmail
+ is running as an SMTP server; in all other situations it
+ acts the same as True.
++.ip TLSFallbacktoClear
++[no short name]
++If set,
++.i sendmail
++immediately tries an outbound connection again without STARTTLS
++after a TLS handshake failure.
++Note:
++this applies to all connections even if TLS specific requirements are set
++(see rulesets
++.i tls_rcpt
++and
++.i tls_client
++).
++Hence such requirements will cause an error on a retry without STARTTLS.
++Therefore they should only trigger a temporary failure so the connection
++is later on tried again.
+ .ip TLSSrvOptions
+ [no short name]
+ List of options for SMTP STARTTLS for the server
+diff --git a/sendmail/deliver.c b/sendmail/deliver.c
+index 8027a50..af42e8f 100644
+--- a/sendmail/deliver.c
++++ b/sendmail/deliver.c
+@@ -1334,6 +1334,10 @@ deliver(e, firstto)
+ 	char *pv[MAXPV + 1];
+ 	char buf[MAXNAME + 1];
+ 	char cbuf[MAXPATHLEN];
++#if STARTTLS
++	/* 0: try TLS, 1: try without TLS again, >1: don't try again */
++	int tlsstate;
++#endif
+ 
+ 	errno = 0;
+ 	SM_REQUIRE(firstto != NULL);	/* same as to */
+@@ -1349,7 +1353,9 @@ deliver(e, firstto)
+ 	e->e_statmsg = NULL;
+ 	SmtpError[0] = '\0';
+ 	xstart = curtime();
+-
++#if STARTTLS
++	tlsstate = 0;
++#endif
+ 	if (tTd(10, 1))
+ 		sm_dprintf("\n--deliver, id=%s, mailer=%s, host=`%s', first user=`%s'\n",
+ 			e->e_id, m->m_name, host, to->q_user);
+@@ -2073,6 +2079,9 @@ tryhost:
+ 			hostnum++;
+ 			if (endp != NULL)
+ 				*endp = sep;
++#if STARTTLS
++			tlsstate = 0;
++#endif
+ 
+   one_last_try:
+ 			/* see if we already know that this host is fried */
+@@ -2960,6 +2969,8 @@ reconnect:	/* after switching to an encrypted connection */
+ 			usetls = bitset(MCIF_TLS, mci->mci_flags);
+ 			if (usetls)
+ 				usetls = !iscltflgset(e, D_NOTLS);
++			if (usetls)
++				usetls = tlsstate == 0;
+ 
+ 			host = macvalue(macid("{server_name}"), e);
+ 			if (usetls)
+@@ -3025,8 +3036,11 @@ reconnect:	/* after switching to an encrypted connection */
+ 				}
+ 			}
+ 			else
++			{
++				p = tlsstate == 0 ? "NONE": "CLEAR";
+ 				macdefine(&e->e_macro, A_PERM,
+-					  macid("{verify}"), "NONE");
++					  macid("{verify}"), p);
++			}
+ 			olderrors = Errors;
+ 			QuickAbort = false;
+ 			SuprErrs = true;
+@@ -3077,6 +3091,10 @@ reconnect:	/* after switching to an encrypted connection */
+ 					}
+ 					mci->mci_flags &= ~MCIF_TLSACT;
+ 					(void) endmailer(mci, e, pv);
++					if (TLSFallbacktoClear)
++					{
++						++tlsstate;
++					}
+ 				}
+ 				else
+ 				{
+@@ -3119,6 +3137,27 @@ reconnect:	/* after switching to an encrypted connection */
+ 				mci_clr_extensions(mci);
+ 				goto reconnect;
+ 			}
++			if (tlsstate == 1)
++			{
++				if (tTd(11, 1))
++				{
++					sm_syslog(LOG_DEBUG, NOQID,
++						"STARTTLS=client, relay=%.100s, tlsstate=%d, status=trying_again",
++						mci->mci_host, tlsstate);
++					mci_dump(NULL, mci, true);
++				}
++				++tlsstate;
++				/*
++				**  Fake the status so a new connection is
++				**  tried, otherwise the TLS error will
++				**  "persist" during this delivery attempt.
++				*/
++
++				mci->mci_errno = 0;
++				rcode = EX_OK;
++				mci_setstat(mci, rcode, NULL, NULL);
++				goto one_last_try;
++			}
+ 		}
+ # endif /* STARTTLS */
+ # if SASL
+diff --git a/sendmail/readcf.c b/sendmail/readcf.c
+index 86892f5..82660f4 100644
+--- a/sendmail/readcf.c
++++ b/sendmail/readcf.c
+@@ -2911,7 +2911,10 @@ static struct optioninfo
+ #endif
+ #define O_USECOMPRESSEDIPV6ADDRESSES 0xec
+ 	{ "UseCompressedIPv6Addresses",	O_USECOMPRESSEDIPV6ADDRESSES, OI_NONE },
+-
++#if STARTTLS
++# define O_TLSFB2CLEAR		0xef
++	{ "TLSFallbacktoClear",	O_TLSFB2CLEAR,	OI_NONE	},
++#endif
+ 	{ NULL,				'\0',		OI_NONE	}
+ };
+ 
+@@ -4305,6 +4308,9 @@ setoption(opt, val, safe, sticky, e)
+ #endif /* SASL */
+ 
+ #if STARTTLS
++	  case O_TLSFB2CLEAR:
++		TLSFallbacktoClear = atobool(val);
++		break;
+ 	  case O_SRVCERTFILE:
+ 		SET_STRING_EXP(SrvCertFile);
+ 	  case O_SRVKEYFILE:
+diff --git a/sendmail/sendmail.h b/sendmail/sendmail.h
+index 441399c..9be1e76 100644
+--- a/sendmail/sendmail.h
++++ b/sendmail/sendmail.h
+@@ -2032,6 +2032,7 @@ EXTERN char	*CRLPath;	/* path to CRLs (dir. with hashes) */
+ #endif /* _FFR_CRLPATH */
+ EXTERN unsigned long	TLS_Srv_Opts;	/* TLS server options */
+ EXTERN unsigned long	Srv_SSL_Options, Clt_SSL_Options; /* SSL options */
++EXTERN bool	TLSFallbacktoClear;
+ #endif /* STARTTLS */
+ 
+ /*
diff --git a/SPECS/sendmail.spec b/SPECS/sendmail.spec
index a9d449d..0db31ad 100644
--- a/SPECS/sendmail.spec
+++ b/SPECS/sendmail.spec
@@ -19,7 +19,7 @@
 Summary: A widely used Mail Transport Agent (MTA)
 Name: sendmail
 Version: 8.15.2
-Release: 32%{?dist}
+Release: 34%{?dist}
 License: Sendmail
 Group: System Environment/Daemons
 URL: http://www.sendmail.org/
@@ -94,6 +94,10 @@ Patch29: sendmail-8.15.2-format-security.patch
 Patch30: sendmail-8.15.2-openssl-1.1.0-ecdhe-fix.patch
 # Upstream patch:
 Patch31: sendmail-8.16.0.29-fix-covscan-issues.patch
+# Enable sendmail to stop using STARTTLS after a certain amount of previous failures
+# rhbz#1868041
+Patch32: sendmail-8.15.2-tlsfallback.patch
+
 Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires: libdb-devel
 BuildRequires: libnsl2-devel
@@ -207,6 +211,7 @@ cp devtools/M4/UNIX/{,shared}library.m4
 %patch29 -p1 -b .format-security
 %patch30 -p1 -b .openssl-1.1.0-ecdhe-fix
 %patch31 -p1 -b .fix-covscan-issues
+%patch32 -p1
 
 for f in RELEASE_NOTES contrib/etrn.0; do
 	iconv -f iso8859-1 -t utf8 -o ${f}{_,} &&
@@ -659,12 +664,12 @@ exit 0
 %config(noreplace) %{maildir}/virtusertable
 
 %ghost %{maildir}/aliasesdb-stamp
-%ghost %{maildir}/virtusertable.db
-%ghost %{maildir}/access.db
-%ghost %{maildir}/domaintable.db
-%ghost %{maildir}/mailertable.db
+%ghost %attr(0640, root,root) %verify(not md5 size mtime) %{maildir}/virtusertable.db
+%ghost %attr(0640, root,root) %verify(not md5 size mtime) %{maildir}/access.db
+%ghost %attr(0640, root,root) %verify(not md5 size mtime) %{maildir}/domaintable.db
+%ghost %attr(0640, root,root) %verify(not md5 size mtime) %{maildir}/mailertable.db
 
-%ghost %{spooldir}/clientmqueue/sm-client.st
+%ghost %attr(0660, smmsp, smmsp) %verify(not md5 size mtime) %{spooldir}/clientmqueue/sm-client.st
 
 %{_unitdir}/sendmail.service
 %{_unitdir}/sm-client.service
@@ -713,6 +718,14 @@ exit 0
 
 
 %changelog
+* Tue Dec 01 2020 Tomas Korbar <tkorbar@redhat.com> - 8.15.2-34
+- Fix verification of ghost files
+- Resolves: rhbz#1730804
+
+* Tue Sep 08 2020 Tomas Korbar <tkorbar@redhat.com> - 8.15.2-33
+- Backport confTLS_FALLBACK_TO_CLEAR option
+- Resolves: rhbz#1868041
+
 * Fri May 03 2019 Ondřej Lysoněk <olysonek@redhat.com> - 8.15.2-32
 - Fix issues discovered by Coverity scan
 - Resolves: rhbz#1602689