diff --git a/priv/emqx.schema b/priv/emqx.schema
index 700752d6d..c110d0f4b 100644
--- a/priv/emqx.schema
+++ b/priv/emqx.schema
@@ -1647,7 +1647,7 @@ end}.
 ]}.
 
 {mapping, "listener.ssl.$name.partial_chain", "emqx.listeners", [
-  {datatype, atom}
+  {datatype, {enum, [true, false, two_cacerts_from_cacertfile, cacert_from_cacertfile]}}
 ]}.
 
 {mapping, "listener.ssl.$name.verify_peer_ext_key_usage", "emqx.listeners", [
diff --git a/src/emqx_tls_lib.erl b/src/emqx_tls_lib.erl
index bebc891d6..6aca651f5 100644
--- a/src/emqx_tls_lib.erl
+++ b/src/emqx_tls_lib.erl
@@ -200,7 +200,7 @@ opt_partial_chain(SslOpts) ->
         undefined ->
             SslOpts;
         false ->
-            SslOpts;
+            proplists:delete(partial_chain, SslOpts);
         V when V =:= cacert_from_cacertfile orelse V == true ->
             replace(SslOpts, partial_chain, rootfun_trusted_ca_from_cacertfile(1, SslOpts));
         V when V =:= two_cacerts_from_cacertfile -> %% for certificate rotations
diff --git a/test/emqx_listener_tls_verify_partial_chain_SUITE.erl b/test/emqx_listener_tls_verify_partial_chain_SUITE.erl
index 224e1a8b6..6e3f3e9c8 100644
--- a/test/emqx_listener_tls_verify_partial_chain_SUITE.erl
+++ b/test/emqx_listener_tls_verify_partial_chain_SUITE.erl
@@ -400,6 +400,22 @@ t_conn_fail_with_server_two_IA_bundle_and_client_root_chain(Config) ->
   fail_when_no_ssl_alert(Socket, unknown_ca),
   ok = ssl:close(Socket).
 
+t_conn_fail_with_server_partial_chain_false_intermediate_cacert_and_client_cert(Config) ->
+  Port = emqx_test_tls_certs_helper:select_free_port(ssl),
+  DataDir = ?config(data_dir, Config),
+  Options = [{ssl_options, [ {cacertfile, filename:join(DataDir, "intermediate1.pem")}
+                           , {certfile, filename:join(DataDir, "server1.pem")}
+                           , {keyfile, filename:join(DataDir, "server1.key")}
+                           , {partial_chain, false}
+                           | ?config(ssl_config, Config)
+                           ]}],
+  emqx_listeners:start_listener(ssl, Port, Options),
+  {ok, Socket} = ssl:connect({127, 0, 0, 1}, Port, [{keyfile,  filename:join(DataDir, "client1.key")},
+                                                    {certfile,  filename:join(DataDir, "client1.pem")}
+                                                   ], 1000),
+  fail_when_no_ssl_alert(Socket, unknown_ca),
+  ssl:close(Socket).
+
 t_error_handling_invalid_cacertfile(Config) ->
   Port = emqx_test_tls_certs_helper:select_free_port(ssl),
   DataDir = ?config(data_dir, Config),