Julien and I met at DebConf25 to discuss how to proceed with this bug.
The following is a short summary of this meeting:
1. Creating a separate package containing email certificates (both
email-only and email+server CA certificates) seems suitable provided
they are stored in a separate trust store to avoid re-introducing #721976.
2. What needs to be clarified is how to make software using
ca-certificates (like e. g. openssl) aware of this. I. e. they have to
use the server CA trust store when validating server certificates and
the email CA trust store when dealing with mails.
