diff --git a/Changes b/Changes
index 102e4e1..ab44986 100644
--- a/Changes
+++ b/Changes
@@ -1,3 +1,5 @@
+  plugins/tls: close the file descriptor for the SSL socket
+
   Set the Return-Path header when queuing into maildir mailboxes.
 
   prefork, forkserver: restart on SIGHUP (reload all modules, with register() /
diff --git a/plugins/tls b/plugins/tls
index 7501b90..0114dff 100644
--- a/plugins/tls
+++ b/plugins/tls
@@ -152,6 +152,19 @@ sub hook_connect {
     return DECLINED;
 }
 
+sub hook_post_connection {
+    my ($self, $transaction) = @_;
+
+    my $tls_socket = $self->connection->notes('tls_socket');
+    if (defined $tls_socket && $self->connection->notes('tls_socket_is_duped')) {
+        $tls_socket->close;
+        $self->connection->notes('tls_socket', undef);
+        $self->connection->notes('tls_socked_is_duped', 0);
+    }
+
+    return DECLINED;
+}
+
 sub _convert_to_ssl {
     my ($self) = @_;
 
@@ -175,6 +188,7 @@ sub _convert_to_ssl {
         $self->qp->connection($self->connection->clone());
         $self->qp->reset_transaction;
         *STDIN = *STDOUT = $self->connection->notes('tls_socket', $tlssocket);
+        $self->connection->notes('tls_socket_is_duped', 1);
         $self->connection->notes('tls_enabled', 1);
     };
     if ($@) {