webmail: when composing a message, show security status in a bar below addressee input field

the bar is currently showing 3 properties:
1. mta-sts enforced;
2. mx lookup returned dnssec-signed response;
3. first delivery destination host has dane records

the colors are: red for not-implemented, green for implemented, gray for error,
nothing for unknown/irrelevant.

the plan is to implement "requiretls" soon and start caching per domain whether
delivery can be done with starttls and whether the domain supports requiretls.
and show that in two new parts of the bar.

thanks to damian poddebniak for pointing out that security indicators should
always be visible, not only for positive/negative result. otherwise users won't
notice their absence.

webmail/api.json

@@ -275,6 +275,26 @@
 			],
 			"Returns": []
 		},
+		{
+			"Name": "RecipientSecurity",
+			"Docs": "RecipientSecurity looks up security properties of the address in the\nsingle-address message addressee (as it appears in a To/Cc/Bcc/etc header).",
+			"Params": [
+				{
+					"Name": "messageAddressee",
+					"Typewords": [
+						"string"
+					]
+				}
+			],
+			"Returns": [
+				{
+					"Name": "r0",
+					"Typewords": [
+						"RecipientSecurity"
+					]
+				}
+			]
+		},
 		{
 			"Name": "SSETypes",
 			"Docs": "SSETypes exists to ensure the generated API contains the types, for use in SSE events.",
@@ -1234,6 +1254,33 @@
 				}
 			]
 		},
+		{
+			"Name": "RecipientSecurity",
+			"Docs": "RecipientSecurity is a quick analysis of the security properties of delivery to the recipient (domain).\nFields are nil when an error occurred during analysis.",
+			"Fields": [
+				{
+					"Name": "MTASTS",
+					"Docs": "Whether we have a stored enforced MTA-STS policy, or domain has MTA-STS DNS record.",
+					"Typewords": [
+						"SecurityResult"
+					]
+				},
+				{
+					"Name": "DNSSEC",
+					"Docs": "Whether MX lookup response was DNSSEC-signed.",
+					"Typewords": [
+						"SecurityResult"
+					]
+				},
+				{
+					"Name": "DANE",
+					"Docs": "Whether first delivery destination has DANE records.",
+					"Typewords": [
+						"SecurityResult"
+					]
+				}
+			]
+		},
 		{
 			"Name": "EventStart",
 			"Docs": "EventStart is the first message sent on an SSE connection, giving the client\nbasic data to populate its UI. After this event, messages will follow quickly in\nan EventViewMsgs event.",
@@ -2587,6 +2634,32 @@
 				}
 			]
 		},
+		{
+			"Name": "SecurityResult",
+			"Docs": "SecurityResult indicates whether a security feature is supported.",
+			"Values": [
+				{
+					"Name": "SecurityResultError",
+					"Value": "error",
+					"Docs": ""
+				},
+				{
+					"Name": "SecurityResultNo",
+					"Value": "no",
+					"Docs": ""
+				},
+				{
+					"Name": "SecurityResultYes",
+					"Value": "yes",
+					"Docs": ""
+				},
+				{
+					"Name": "SecurityResultUnknown",
+					"Value": "unknown",
+					"Docs": "Unknown whether supported. Finding out may only be (reasonably) possible when\ntrying (e.g. SMTP STARTTLS). Once tried, the result may be cached for future\nlookups."
+				}
+			]
+		},
 		{
 			"Name": "Localpart",
 			"Docs": "Localpart is a decoded local part of an email address, before the \"@\".\nFor quoted strings, values do not hold the double quote or escaping backslashes.\nAn empty string can be a valid localpart.",