Thanks for you reply, I understand your position and I beg to disagree. The whole point of S/MIME is to delegate the trust to the built-in trusted CAs and you should, imho, just do the same, like all the browsers and mail clients out there.
Manual upload and checks would still be needed in case of a certificate signed by a CA not present in the built-in trusted CAs (i.e. /etc/ssl/certs).
I hope you’ll reconsider your decision.
All the best.