Thanks for the detailed analysis Paride and Ante. While a service restart is indeed required to refresh the chroot dir of the main/default instance, it feels a bit intrusive and could be avoided by directly calling "/usr/lib/postfix/configure-instance.sh" via a hook in /etc/ca-certificates/update.d/
configure-instance.sh will update the default instance's chroot when called without any parameter.
Thanks for the detailed analysis Paride and Ante. While a service restart is indeed required to refresh the chroot dir of the main/default instance, it feels a bit intrusive and could be avoided by directly calling "/usr/lib/ postfix/ configure- instance. sh" via a hook in /etc/ca- certificates/ update. d/
configure- instance. sh will update the default instance's chroot when called without any parameter.