Comment 3 for bug 1915238

Thanks for the detailed analysis Paride and Ante. While a service restart is indeed required to refresh the chroot dir of the main/default instance, it feels a bit intrusive and could be avoided by directly calling "/usr/lib/postfix/configure-instance.sh" via a hook in /etc/ca-certificates/update.d/

configure-instance.sh will update the default instance's chroot when called without any parameter.