Add config to disable system root cert store

.env.template

@@ -528,6 +528,9 @@
 ## Paths to PEM files, separated by semicolons
 # SMTP_ADDITIONAL_ROOT_CERTS=
 
+## Use system root certificate store for TLS host verification
+# SMTP_USE_SYSTEM_ROOT_CERTS=true
+
 ##########################
 ### Rocket settings ###
 ##########################

src/config.rs

@@ -681,6 +681,8 @@ make_config! {
         smtp_accept_invalid_hostnames: bool,   true,   def,     false;
         /// Accept additional root certs |> Paths to PEM files, separated by semicolons
         smtp_additional_root_certs:    String, true,   option;
+        /// Use system root certificate store for TLS host verification
+        smtp_use_system_root_certs:    bool,   true,   def,     true;
     },
 
     /// Email 2FA Settings

src/mail.rs

@@ -7,7 +7,7 @@ use percent_encoding::{percent_encode, NON_ALPHANUMERIC};
 use lettre::{
     message::{Attachment, Body, Mailbox, Message, MultiPart, SinglePart},
     transport::smtp::authentication::{Credentials, Mechanism as SmtpAuthMechanism},
-    transport::smtp::client::{Certificate, Tls, TlsParameters},
+    transport::smtp::client::{Certificate, CertificateStore, Tls, TlsParameters},
     transport::smtp::extension::ClientId,
     Address, AsyncSendmailTransport, AsyncSmtpTransport, AsyncTransport, Tokio1Executor,
 };
@@ -67,6 +67,9 @@ fn smtp_transport() -> AsyncSmtpTransport<Tokio1Executor> {
                 tls_parameters = tls_parameters.add_root_certificate(cert.clone());
             }
         }
+        if !CONFIG.smtp_use_system_root_certs() {
+            tls_parameters = tls_parameters.certificate_store(CertificateStore::None);
+        }
         let tls_parameters = tls_parameters.build().unwrap();
 
         if CONFIG.smtp_security() == *"force_tls" {