diff --git imap/imapd-ssl.dist.in imap/imapd-ssl.dist.in
index d22f762..2ac593d 100644
--- imap/imapd-ssl.dist.in
+++ imap/imapd-ssl.dist.in
@@ -192,21 +192,23 @@ COURIERTLS=@bindir@/couriertls
 # DHERSA, DHEDSS, RSA, SRP, SRPRSA, SRPDSS, PSK, DHEPSK, ANONDH, RSAEXPORT
 
 TLS_KX_LIST=ALL
 
 ##NAME: TLS_COMPRESSION:0
 #
 # GnuTLS only:
 #
 # Optional compression. "ALL" selects all available compression methods.
 #
-# Available compression methods: DEFLATE, LZO, NULL
+# Available compression methods:
+#   GnuTLS-2: DEFLATE, LZO, NULL
+#   GnuTLS-3: DEFLATE, ZLIB, NULL
 
 TLS_COMPRESSION=ALL
 
 ##NAME: TLS_CERTS:0
 #
 # GnuTLS only:
 #
 # Supported certificate types are X509 and OPENPGP.
 #
 # OPENPGP has not been tested
diff --git imap/pop3d-ssl.dist.in imap/pop3d-ssl.dist.in
index 1a28104..592c05f 100644
--- imap/pop3d-ssl.dist.in
+++ imap/pop3d-ssl.dist.in
@@ -180,21 +180,23 @@ TLS_STARTTLS_PROTOCOL=TLS1
 # DHERSA, DHEDSS, RSA, SRP, SRPRSA, SRPDSS, PSK, DHEPSK, ANONDH, RSAEXPORT
 
 TLS_KX_LIST=ALL
 
 ##NAME: TLS_COMPRESSION:0
 #
 # GnuTLS only:
 #
 # Optional compression. "ALL" selects all available compression methods.
 #
-# Available compression methods: DEFLATE, LZO, NULL
+# Available compression methods:
+#   GnuTLS-2: DEFLATE, LZO, NULL
+#   GnuTLS-3: DEFLATE, ZLIB, NULL
 
 TLS_COMPRESSION=ALL
 
 ##NAME: TLS_CERTS:0
 #
 # GnuTLS only:
 #
 # Supported certificate types are X509 and OPENPGP.
 #
 # OPENPGP has not been tested
diff --git tcpd/configure.in tcpd/configure.in
index cc4bb4b..ac089a0 100644
--- tcpd/configure.in
+++ tcpd/configure.in
@@ -349,33 +349,41 @@ then
 	],
 		[ have_gnutls=yes
 		],
 
 		[
 			have_gnutls="no: \#include <gnutls/gnutls.h> failed"
 		])
 
 		CPPFLAGS="$save_CPPFLAGS"
 	else
-		have_gnutls="no: pkgconfig --modeversion gnutls failed"
+		have_gnutls="no: pkgconfig --modversion gnutls failed"
 	fi
 else
 	have_gnutls="no: pkg-config not found"
 fi
 
 AC_MSG_RESULT($have_gnutls)
 
 if test "$have_gnutls" = "yes"
 then
 	LIBCOURIERTLSGNUTLS="libcouriertlsgnutls.la"
 	CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags gnutls`"
-	gnutlsdep="`$PKGCONFIG --libs gnutls` -lgnutls-extra"
+        have_gnutls3=no
+        PKG_CHECK_EXISTS([gnutls >= 3.0], [have_gnutls3=yes])
+        if test "x$have_gnutls3" = "xno"
+        then
+                gnutlsdep="`$PKGCONFIG --libs gnutls` -lgnutls-extra"
+        else
+                gnutlsdep="`$PKGCONFIG --libs gnutls`"
+                AC_DEFINE([HAVE_GNUTLS3], [1], [Use GnuTLS3])
+        fi
 fi
 
 AC_CHECK_SIZEOF(gnutls_transport_ptr_t,0, [
 AC_INCLUDES_DEFAULT
 #include <gnutls/gnutls.h>
 ])
 
 AC_CHECK_SIZEOF(long,0)
 
 cast_to_ptr_t=""
diff --git tcpd/libcouriergnutls.c tcpd/libcouriergnutls.c
index 4aa4996..eb30fd2 100644
--- tcpd/libcouriergnutls.c
+++ tcpd/libcouriergnutls.c
@@ -2,21 +2,23 @@
 ** Copyright 2007-2009 Double Precision, Inc.
 ** See COPYING for distribution information.
 */
 #include	"config.h"
 #include	"argparse.h"
 #include	"spipe.h"
 #include	"libcouriertls.h"
 #include	"tlscache.h"
 #include	"soxwrap/soxwrap.h"
 #include	<gnutls/gnutls.h>
+#ifndef HAVE_GNUTLS3
 #include	<gnutls/extra.h>
+#endif
 #include	<gnutls/x509.h>
 #include	<gnutls/openpgp.h>
 #include	<stdio.h>
 #include	<string.h>
 #include	<stdlib.h>
 #include	<ctype.h>
 #include	<netdb.h>
 #if HAVE_DIRENT_H
 #include <dirent.h>
 #define NAMLEN(dirent) strlen((dirent)->d_name)
@@ -139,21 +141,25 @@ static const struct intmap {
 		{ "SRP", GNUTLS_KX_SRP},
 		{ "SRPRSA", GNUTLS_KX_SRP_RSA},
 		{ "SRPDSS", GNUTLS_KX_SRP_DSS},
 		{ "PSK", GNUTLS_KX_PSK},
 		{ "DHEPSK", GNUTLS_KX_DHE_PSK},
 		{ "ANONDH", GNUTLS_KX_ANON_DH},
 		{ "RSAEXPORT", GNUTLS_KX_RSA_EXPORT},
 		{ NULL, 0}
 	}, all_comps[]={
 		{ "DEFLATE", GNUTLS_COMP_DEFLATE},
+#ifndef HAVE_GNUTLS3
 		{ "LZO", GNUTLS_COMP_LZO},
+#else
+                { "ZLIB", GNUTLS_COMP_ZLIB},
+#endif
 		{ "NULL", GNUTLS_COMP_NULL},
 		{ NULL, 0}
 	}, all_certs[]={
 		{ "X509", GNUTLS_CRT_X509},
 		{ "OPENPGP", GNUTLS_CRT_OPENPGP},
 		{ NULL, 0}
 	};
 
 struct ssl_context_t {
 	int isserver;
@@ -401,28 +407,30 @@ ssl_context tls_create(int isserver, const struct tls_info *info)
 		first=0;
 
 		if (gnutls_global_init() < 0)
 		{
 			fprintf(stderr, "gnutls_global_init() failed\n");
 			free(p);
 			errno=EINVAL;
 			return (NULL);
 		}
 
+#ifndef HAVE_GNUTLS3
 		if (gnutls_global_init_extra() < 0)
 		{
 			gnutls_global_deinit();
 			fprintf(stderr, "gnutls_global_init() failed\n");
 			free(p);
 			errno=EINVAL;
 			return (NULL);
 		}
+#endif
 	}
 
 	if (!(words=splitwords(safe_getenv(p, "TLS_PROTOCOL",
 					   "TLS1_1:TLS1:SSL3"), &n)))
 	{
 		tls_destroy(p);
 		return NULL;
 	}
 
 	if ((p->protocol_list=malloc((n+1)*sizeof(int))) == NULL)