--- a/src/lib-ssl-iostream/iostream-openssl.c	Thu Sep 08 11:51:18 2011 +0300
+++ b/src/lib-ssl-iostream/iostream-openssl.c	Thu Sep 08 12:14:54 2011 +0300
@@ -288,8 +288,9 @@
 		sent = o_stream_send(ssl_io->plain_output, buffer, bytes);
 		if (sent < 0) {
 			i_assert(ssl_io->plain_output->stream_errno != 0);
-			ssl_io->ssl_output->stream_errno =
+			ssl_io->plain_stream_errno =
 				ssl_io->plain_output->stream_errno;
+			ssl_io->closed = TRUE;
 			break;
 		}
 		i_assert(sent == (ssize_t)bytes);
@@ -308,7 +309,14 @@
 
 	while ((bytes = BIO_ctrl_get_write_guarantee(ssl_io->bio_ext)) > 0) {
 		/* bytes contains how many bytes we can write to bio_ext */
-		(void)i_stream_read_data(ssl_io->plain_input, &data, &size, 0);
+		if (i_stream_read_data(ssl_io->plain_input,
+				       &data, &size, 0) == -1 &&
+		    size == 0 && !bytes_read) {
+			ssl_io->plain_stream_errno =
+				ssl_io->plain_input->stream_errno;
+			ssl_io->closed = TRUE;
+			return FALSE;
+		}
 		if (size == 0) {
 			/* wait for more input */
 			break;
@@ -377,10 +385,18 @@
 			i_panic("SSL ostream buffer size not unlimited");
 			return 0;
 		}
+		if (ssl_io->closed) {
+			errno = ssl_io->plain_stream_errno;
+			return -1;
+		}
 		return 1;
 	case SSL_ERROR_WANT_READ:
 		ssl_io->want_read = TRUE;
 		(void)ssl_iostream_bio_sync(ssl_io);
+		if (ssl_io->closed) {
+			errno = ssl_io->plain_stream_errno;
+			return -1;
+		}
 		return ssl_io->want_read ? 0 : 1;
 	case SSL_ERROR_SYSCALL:
 		/* eat up the error queue */

--- a/src/lib-ssl-iostream/iostream-openssl.h	Thu Sep 08 11:51:18 2011 +0300
+++ b/src/lib-ssl-iostream/iostream-openssl.h	Thu Sep 08 12:14:54 2011 +0300
@@ -34,6 +34,7 @@
 
 	char *source;
 	char *last_error;
+	int plain_stream_errno;
 
 	/* copied settings */
 	bool verbose, verbose_invalid_cert, require_valid_cert;
@@ -47,6 +48,7 @@
 	unsigned int cert_broken:1;
 	unsigned int want_read:1;
 	unsigned int ostream_flush_waiting_input:1;
+	unsigned int closed:1;
 };
 
 extern int dovecot_ssl_extdata_index;