diff --git a/postfix-3.8.4.tar.gz b/postfix-3.8.8.tar.gz
similarity index 40%
rename from postfix-3.8.4.tar.gz
rename to postfix-3.8.8.tar.gz
index c7898cdd99bd7bf6f72f82de6546a201bafd0e62..9ce0076ff235dc2a42471e37193979f22fdf3058 100644
Binary files a/postfix-3.8.4.tar.gz and b/postfix-3.8.8.tar.gz differ
diff --git a/postfix.service b/postfix.service
index e2b43a60916277814bec6b0a233e8177de5616e2..cd7d1b8c78285960ee084ec4e7e924bf06895779 100644
--- a/postfix.service
+++ b/postfix.service
@@ -4,6 +4,18 @@ After=syslog.target network.target
 Conflicts=sendmail.service exim.service
 
 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectHome=false
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions
 Type=forking
 PIDFile=/var/spool/postfix/pid/master.pid
 EnvironmentFile=-/etc/sysconfig/network
diff --git a/postfix.spec b/postfix.spec
index 035b7f2f47229657f3eb758371ca48f8e3dd1a34..fbc872cd7a83bf79d3f1cf7d93a9c71d81df4f0e 100644
--- a/postfix.spec
+++ b/postfix.spec
@@ -22,11 +22,11 @@
 
 Name:           postfix
 Summary:        Postfix Mail Transport Agent
-Version:        3.8.4
+Version:        3.8.8
 Release:        1
 Epoch:          2
-URL:            http://www.postfix.org
-License:        (IPL-1.0 and GPLv2+) or (EPL-2.0 and GPLv2+)
+URL:            https://www.postfix.org
+License:        (IPL-1.0 OR EPL-2.0) AND GPL-2.0-or-later AND BSD-4-Clause-UC
 Source0:        http://ftp.porcupine.org/mirrors/postfix-release/official/%{name}-%{version}.tar.gz
 Source1:        postfix-etc-init.d-postfix
 Source2:        postfix.service
@@ -99,13 +99,13 @@ PostgreSQL maps with Postfix, you need this.
 
 %prep
 %setup -qn %{name}-%{version}
-%patch1 -p1 -b .config
-%patch2 -p1 -b .files
-%patch3 -p1 -b .alternatives
-%patch4 -p1 -b .large-fs
+%patch -P1 -p1 -b .config
+%patch -P2 -p1 -b .files
+%patch -P3 -p1 -b .alternatives
+%patch -P4 -p1 -b .large-fs
 
-%patch11 -p1
-%patch12 -p1
+%patch -P11 -p1
+%patch -P12 -p1
 
 sed -i \
 's|^\(\s*#define\s\+DEF_SHLIB_DIR\s\+\)"/usr/lib/postfix"|\1"%{_libdir}/postfix"|' \
@@ -115,8 +115,8 @@ src/util/dict_db.c
 
 gzip -dc %{SOURCE53} | tar xf -
 pushd pflogsumm-1.1.5
-%patch5 -p1 -b .datecalc
-%patch6 -p1 -b .ipv6-warnings-fix
+%patch -P5 -p1 -b .datecalc
+%patch -P6 -p1 -b .ipv6-warnings-fix
 popd
 
 sed -i makedefs -e '\@Linux\.@s|345|3456|'
@@ -172,8 +172,6 @@ make -f Makefile.init makefiles shared=yes dynamicmaps=yes \
 %make_build
 
 %install
-mkdir -p %{buildroot}
-
 for i in man1/mailq.1 man1/newaliases.1 man1/sendmail.1 man5/aliases.5 man8/smtpd.8; do
   dest=$(echo $i | sed 's|\.[1-9]$|.postfix\0|')
   mv man/$i man/$dest
@@ -312,9 +310,6 @@ chrpath -d %{buildroot}%{_sbindir}/postconf
 chrpath -d %{buildroot}%{_sbindir}/postsuper
 chrpath -d %{buildroot}%{_sbindir}/postmulti
 
-mkdir -p %{buildroot}/etc/ld.so.conf.d
-echo "%{_libdir}/postfix" > %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.conf
-
 function split_file
 {
   grep "$1" "$3" >> "$3.d/$2" || :
@@ -335,7 +330,6 @@ popd
 
 %post -e
 %systemd_post %{name}.service
-/sbin/ldconfig
 
 %{_sbindir}/postfix set-permissions upgrade-configuration \
         daemon_directory=%{postfix_daemon_dir} \
@@ -411,7 +405,6 @@ exit 0
 
 %postun
 %systemd_postun_with_restart %{name}.service
-/sbin/ldconfig
 
 %post sysvinit
 /sbin/chkconfig --add postfix >/dev/null 2>&1 ||:
@@ -435,10 +428,8 @@ fi
 /bin/systemctl try-restart postfix.service >/dev/null 2>&1 || :
 
 %files
-%defattr(-,root,root)
 %config(noreplace) %{sasl_config_dir}/smtpd.conf
 %config(noreplace) %{_sysconfdir}/pam.d/smtp.postfix
-%config(noreplace) /etc/ld.so.conf.d/*
 %{_unitdir}/postfix.service
 %{postfix_doc_dir}
 %dir %attr(0700,postfix,root) %{postfix_queue_dir}/active
@@ -519,24 +510,20 @@ fi
 %exclude %{_mandir}/man5/*_table.5*
 
 %files sysvinit
-%defattr(-,root,root)
 %{_initrddir}/postfix
 
 %files perl-scripts
-%defattr(-,root,root)
 %{postfix_command_dir}/qshape
 %{postfix_command_dir}/pflogsumm
 
 %files pgsql
-%defattr(-,root,root)
 %{postfix_config_dir}/dynamicmaps.cf.d/pgsql
 %{postfix_config_dir}/postfix-files.d/pgsql
 %{postfix_shlib_dir}/postfix-pgsql.so
 
 %files help
-%defattr(-,root,root)
 %{_mandir}/man1/qshape*
-%{_mandir}/man1/pflogsumm.1.gz
+%{_mandir}/man1/pflogsumm.1*
 %{_mandir}/man1/post*.1*
 %{_mandir}/man1/smtp*.1*
 %{_mandir}/man1/*.postfix.1*
@@ -556,6 +543,10 @@ fi
 %{postfix_doc_dir}/README_FILES/*
 
 %changelog
+* Mon Feb 17 2025 Funda Wang <fundawang@yeah.net> - 2:3.8.8-1
+- update to 3.8.8
+- harden systemd service
+
 * Tue Jan 02 2024 gaihuiying <eaglegai@163.com> - 2:3.8.4-1
 - Type:requirements
 - ID:NA