tls: surface transport TLS status in email path and authentication

Parse TLS details (version, cipher, bits, cert verification) from the Postfix Received header parenthetical and expose them per hop, rendered as a per-hop badge in the Email Path card. Add an x-tls Authentication-Results result: parse it when present, and otherwise synthesize it from the inbound hop's TLS info. A negative result (unencrypted inbound connection) applies a -10 authentication score penalty and is shown in the Authentication card. Enable the TLS handler in authentication_milter. Closes: #40
2026-06-06 15:15:32 +09:00 · 2026-06-06 15:15:32 +09:00 · d53c1b1e00
commit d53c1b1e00
parent 8e7e56851b
11 changed files with 593 additions and 0 deletions
--- a/web/src/lib/components/AuthenticationCard.svelte
+++ b/web/src/lib/components/AuthenticationCard.svelte
@ -218,6 +218,40 @@
            </div>
        {/if}

+        <!-- X-TLS (Transport encryption) -->
+        {#if authentication.x_tls}
+            <div class="list-group-item" id="authentication-x-tls">
+                <div class="d-flex align-items-start">
+                    <i
+                        class="bi {getAuthResultIcon(
+                            authentication.x_tls.result,
+                            true,
+                        )} {getAuthResultClass(authentication.x_tls.result, true)} me-2 fs-5"
+                    ></i>
+                    <div>
+                        <strong>Transport TLS</strong>
+                        <i
+                            class="bi bi-info-circle text-muted ms-1"
+                            title="Whether the inbound connection that delivered this message used TLS encryption (x-tls). Falls back to the inbound Received hop when no x-tls header is present."
+                        ></i>
+                        <span
+                            class="text-uppercase ms-2 {getAuthResultClass(
+                                authentication.x_tls.result,
+                                true,
+                            )}"
+                        >
+                            {authentication.x_tls.result}
+                        </span>
+                        {#if authentication.x_tls.details}
+                            <div class="small text-muted mt-1">
+                                {authentication.x_tls.details}
+                            </div>
+                        {/if}
+                    </div>
+                </div>
+            </div>
+        {/if}
+
        <!-- SPF (Required) -->
        <div class="list-group-item">
            <div class="d-flex align-items-start" id="authentication-spf">