Add config to disable system root cert store

.env.template

@@ -529,6 +529,9 @@
 ## Paths to PEM files, separated by semicolons
 # SMTP_ADDITIONAL_ROOT_CERTS=
 
+## Use system root certificate store for TLS host verification
+# SMTP_USE_SYSTEM_ROOT_CERTS=true
+
 ##########################
 ### Rocket settings ###
 ##########################

src/config.rs

@@ -677,6 +677,8 @@ make_config! {
         smtp_accept_invalid_hostnames: bool,   true,   def,     false;
         /// Accept additional root certs |> Paths to PEM files, separated by semicolons
         smtp_additional_root_certs:    String, true,   option;
+        /// Use system root certificate store for TLS host verification
+        smtp_use_system_root_certs:    bool,   true,   def,     true;
     },
 
     /// Email 2FA Settings

src/mail.rs

@@ -6,7 +6,7 @@ use percent_encoding::{percent_encode, NON_ALPHANUMERIC};
 use lettre::{
     message::{Attachment, Body, Mailbox, Message, MultiPart, SinglePart},
     transport::smtp::authentication::{Credentials, Mechanism as SmtpAuthMechanism},
-    transport::smtp::client::{Tls, TlsParameters},
+    transport::smtp::client::{CertificateStore, Tls, TlsParameters},
     transport::smtp::extension::ClientId,
     Address, AsyncSendmailTransport, AsyncSmtpTransport, AsyncTransport, Tokio1Executor,
 };
@@ -50,6 +50,9 @@ fn smtp_transport() -> AsyncSmtpTransport<Tokio1Executor> {
         for cert in &*SMTP_ADDITIONAL_ROOT_CERTS.read().unwrap() {
             tls_parameters = tls_parameters.add_root_certificate(cert.clone());
         }
+        if !CONFIG.smtp_use_system_root_certs() {
+            tls_parameters = tls_parameters.certificate_store(CertificateStore::None);
+        }
         let tls_parameters = tls_parameters.build().unwrap();
 
         if CONFIG.smtp_security() == *"force_tls" {