Extend email plugin settings api

api/proto/teleport/legacy/types/types.proto

@@ -6612,6 +6612,27 @@ message SMTPSpec {
   string host = 1;
   // Port specifies the SMTP service port number.
   int32 port = 2;
+  // StartTLSPolicy specifies the SMTP start TLS policy used to send emails over
+  // SMTP.
+  SMTPStartTLSPolicy start_tls_policy = 3;
+}
+
+// SMTPStartTLSPolicy defines the start TLS policy used to communicate with the
+// SMTP service.
+enum SMTPStartTLSPolicy {
+  // SMTP_MANDATORY_START_TLS means that SMTP transactions must be encrypted.
+  // SMTP transactions are aborted unless STARTTLS is supported by the
+  // SMTP server. Recommended for all modern SMTP servers.
+  SMTP_MANDATORY_START_TLS = 0;
+
+  // SMTP_OPPORTUNISTIC_START_TLS means that SMTP transactions are encrypted if
+  // STARTTLS is supported by the SMTP server. Otherwise, messages are
+  // sent in the clear.
+  SMTP_OPPORTUNISTIC_START_TLS = 1;
+
+  // SMTP_NO_START_TLS means encryption is disabled and messages are sent in the
+  // clear.
+  SMTP_NO_START_TLS = 2;
 }
 
 message PluginBootstrapCredentialsV1 {

api/types/plugin_test.go

@@ -1291,6 +1291,30 @@ func TestPluginEmailSettings(t *testing.T) {
 				require.NoError(t, err)
 			},
 		},
+		{
+			name: "(smtp) change start TLS policy",
+			mutateSettings: func(s *PluginEmailSettings) {
+				s.Spec = &PluginEmailSettings_SmtpSpec{
+					SmtpSpec: &SMTPSpec{
+						Host:           "smtp.example.com",
+						Port:           587,
+						StartTlsPolicy: SMTPStartTLSPolicy_SMTP_OPPORTUNISTIC_START_TLS,
+					},
+				}
+			},
+			creds: &PluginCredentialsV1{
+				Credentials: &PluginCredentialsV1_StaticCredentialsRef{
+					&PluginStaticCredentialsRef{
+						Labels: map[string]string{
+							"label1": "value1",
+						},
+					},
+				},
+			},
+			assertErr: func(t require.TestingT, err error, args ...any) {
+				require.NoError(t, err)
+			},
+		},
 	}
 
 	for _, tc := range testCases {