Trusting only intermediate CA

Hi list,

I've created a small CA hierarchy using OpenSSL with the following

Root CA
_____/ \_____
/ \
Mail sub-CA Other sub-CA
/ \
/ \
Server sub-CA Client sub-CA
/ \ / \
Server1 Server2 Client1 Client2

This is certainly over-engineered for my small setup, but I wanted to
create a toolbox to create a full-fledged PKI... whatever.

I use the following straightforward configuration:
- On the server:
% smtpd_tls_security_level = may
% smtpd_tls_cert_file = Server.pem
% smtpd_tls_key_file = Server.key
% smtpd_tls_CAfile = Client_SubCA_chain.pem
% smtpd_tls_ask_ccert = yes
% smtpd_tls_loglevel = 1

- On the client:
% smtp_tls_security_level = may
% smtp_tls_cert_file = Client.pem
% smtp_tls_key_file = Client.key
% smtp_tls_CAfile = Server_SubCA_chain.pem
% smtp_tls_loglevel = 1

It works. Postfix logs that the connection is "Trusted". Woohoo!
However, I'm a little bit confused about the certificates accepted.

I've swept through RFC 2459 and as I understand the fourth paragraph of
section 6, the certification path validation must begin with a
self-signed certificate. This mean that smtpd_tls_CAfile must contains
all certificates from RootCA to Server sub-CA. Therefore if a client
provides a certificate issued by the Mail sub-CA or the Root CA
directly, it will work. What's the way to prevent this? Of course, as
the owner of the PKI, I could ensure that such certificates would never
be issued. But is there any technical mean to prevent this?

By the way, I have the feeling this could be done using a server-side
policy map similar to smtp_tls_policy_maps but there is certainly a good
reason for this setting to not exist, though I don't see why.

Thanks for your help.