diff --git a/postfix-3.5.3.tar.gz b/postfix-3.5.3.tar.gz
deleted file mode 100644
index b058bf3..0000000
--- a/postfix-3.5.3.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:e381089cf2a03105042835776f23489c0a58600a6a6ebc8cb59f5cb1eb4d8d75
-size 4611925
diff --git a/postfix-3.5.4.tar.gz b/postfix-3.5.4.tar.gz
new file mode 100644
index 0000000..66372cf
--- /dev/null
+++ b/postfix-3.5.4.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:fc2fb1cc27556aa2506bc287af04881cde07c83d5cb213ba835083b4bb796881
+size 4612431
diff --git a/postfix.changes b/postfix.changes
index 2673c96..02b816e 100644
--- a/postfix.changes
+++ b/postfix.changes
@@ -1,3 +1,22 @@
+-------------------------------------------------------------------
+Mon Jun 29 18:44:13 UTC 2020 - Michael Ströder <michael@stroeder.com>
+
+- Update to 3.5.4:
+  * The connection_reuse attribute in smtp_tls_policy_maps always
+    resulted in an "invalid attribute name" error.
+  * SMTP over TLS connection reuse always failed for Postfix SMTP
+    client configurations that specify explicit trust anchors (remote
+    SMTP server certificates or public keys).
+  * The Postfix SMTP client's DANE implementation would always send
+    an SNI option with the name in a destination's MX record, even
+    if the MX record pointed to a CNAME record. MX records that
+    point to CNAME records are not conformant with RFC5321, and so
+    are rare.
+    Based on the DANE survey of ~2 million hosts it was found that
+    with the corrected SMTP client behavior, sending SNI with the
+    CNAME-expanded name, the SMTP server would not send a different
+    certificate. This fix should therefore be safe.
+
 -------------------------------------------------------------------
 Mon Jun 15 16:09:57 UTC 2020 - Michael Ströder <michael@stroeder.com>
 
diff --git a/postfix.spec b/postfix.spec
index c22fd85..8767bfb 100644
--- a/postfix.spec
+++ b/postfix.spec
@@ -53,7 +53,7 @@
 %bcond_with    libnsl
 %endif
 Name:           postfix
-Version:        3.5.3
+Version:        3.5.4
 Release:        0
 Summary:        A fast, secure, and flexible mailer
 License:        IPL-1.0 OR EPL-2.0