diff --git a/Kernel/Config/Defaults.pm b/Kernel/Config/Defaults.pm
index 40d52e7775..b495902d24 100644
--- a/Kernel/Config/Defaults.pm
+++ b/Kernel/Config/Defaults.pm
@@ -1127,6 +1127,7 @@ sub LoadDefaults {
 
 #    $Self->{'SMIME::CertPath'} = '/etc/ssl/certs';
 #    $Self->{'SMIME::PrivatePath'} = '/etc/ssl/private';
+#    $Self->{'SMIME::NoDefaultCA'} = 0;
 
     # --------------------------------------------------- #
     # system permissions
diff --git a/Kernel/Config/Files/XML/Framework.xml b/Kernel/Config/Files/XML/Framework.xml
index 2bf4a42f40..13c96e2973 100644
--- a/Kernel/Config/Files/XML/Framework.xml
+++ b/Kernel/Config/Files/XML/Framework.xml
@@ -3095,6 +3095,13 @@
             <Item ValueType="Checkbox">0</Item>
         </Value>
     </Setting>
+    <Setting Name="SMIME::NoDefaultCA" Required="0" Valid="0">
+        <Description Translatable="1">When enabled, no default CA certificates on S/MIME verification will be used.</Description>
+        <Navigation>Core::Crypt::SMIME</Navigation>
+        <Value>
+            <Item ValueType="Checkbox">0</Item>
+        </Value>
+    </Setting>
     <Setting Name="NotificationSenderName" Required="1" Valid="1">
         <Description Translatable="1">Specifies the name that should be used by the application when sending notifications. The sender name is used to build the complete display name for the notification master (i.e. "OTRS Notifications" otrs@your.example.com).</Description>
         <Navigation>Core::Email</Navigation>
diff --git a/Kernel/System/Crypt/SMIME.pm b/Kernel/System/Crypt/SMIME.pm
index a2825eb358..cebf10c467 100644
--- a/Kernel/System/Crypt/SMIME.pm
+++ b/Kernel/System/Crypt/SMIME.pm
@@ -541,8 +541,21 @@ sub Verify {
         $NoVerifyOption = '-noverify';
     }
 
-    my $Options = "smime -verify $NoVerifyOption -in $SignedFile -out $VerifiedFile -signer $SignerFile "
-        . "-CApath $Self->{CertPath} $CertificateOption $SignedFile";
+    # Don't use default CA certs on S/MIME verification if SMIME::NoDefaultCA is enabled.
+    # See also https://docs.openssl.org/master/man1/openssl-verification-options/#trusted-certificate-options
+    my $NoDefaultCAOptions = '';
+    if ( $ConfigObject->Get('SMIME::NoDefaultCA') ) {
+        $NoDefaultCAOptions = '-no-CAfile -no-CApath';
+        if ( $Self->{OpenSSLMajorVersion} >= 3 ) {
+
+            # Disable also default certificates store (option available in OpenSSL 3+).
+            $NoDefaultCAOptions = $NoDefaultCAOptions . ' -no-CAstore';
+        }
+    }
+
+    my $Options
+        = "smime -verify $NoVerifyOption $NoDefaultCAOptions -in $SignedFile -out $VerifiedFile -signer $SignerFile "
+        . "-CApath $Self->{CertPath} $CertificateOption";
 
     my @LogLines = qx{$Self->{Cmd} $Options 2>&1};
     for my $LogLine (@LogLines) {