feat: rollenbasierte SMTP-Statistik + Service-Aktionen

- handleServiceAction: nur superadmin darf Dienste stoppen/starten
- handleSMTPStatus: domain_admin bekommt tenant-gefilterte Stats
  (Domains, Mailanzahl, Speicher) statt globaler Daemon-Info
- Admin-Dashboard: SMTP-Kacheln, Systemauslastung, IP-Allowlist
  nur für superadmin; domain_admin sieht eigene Domain-Statistik
- Dienste-Tab: Aktions-Buttons nur für superadmin sichtbar

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

internal/api/server.go

@@ -589,6 +589,35 @@ func (s *Server) handleSearch(w http.ResponseWriter, r *http.Request) {
 }
 
 func (s *Server) handleSMTPStatus(w http.ResponseWriter, r *http.Request) {
+	sess := sessionFromCtx(r.Context())
+	tenantID := tenantFromCtx(r.Context())
+
+	// domain_admin: return only their tenant's email statistics (no global daemon info)
+	if sess != nil && !auth.HasRole(sess.Role, userstore.RoleSuperAdmin) {
+		stats, err := s.store.StatsByTenant(r.Context(), tenantID)
+		if err != nil {
+			writeError(w, http.StatusInternalServerError, "failed to read stats")
+			return
+		}
+		domains := []string{}
+		if tenantID != nil && s.tenantStore != nil {
+			if dd, derr := s.tenantStore.ListDomains(r.Context(), *tenantID); derr == nil {
+				for _, d := range dd {
+					domains = append(domains, d.Domain)
+				}
+			}
+		}
+		writeJSON(w, http.StatusOK, map[string]interface{}{
+			"enabled":     true,
+			"tenant_only": true,
+			"domains":     domains,
+			"total_mails": stats["count"],
+			"total_bytes": stats["total_size"],
+		})
+		return
+	}
+
+	// superadmin: global daemon status
 	if s.smtpDaemon == nil {
 		writeJSON(w, http.StatusOK, map[string]interface{}{"enabled": false, "running": false})
 		return
@@ -1047,6 +1076,13 @@ func (s *Server) handleListServices(w http.ResponseWriter, r *http.Request) {
 }
 
 func (s *Server) handleServiceAction(w http.ResponseWriter, r *http.Request) {
+	// Only superadmin may start/stop/restart services
+	sess := sessionFromCtx(r.Context())
+	if sess == nil || !auth.HasRole(sess.Role, userstore.RoleSuperAdmin) {
+		writeError(w, http.StatusForbidden, "superadmin required")
+		return
+	}
+
 	name := r.PathValue("name")
 	if !isAllowedService(name) {
 		writeError(w, http.StatusBadRequest, "unknown service")

src/app/admin/page.tsx

@@ -673,7 +673,9 @@ export default function AdminPage() {
                     </CardContent>
                   </Card>
 
-                  {/* SMTP */}
+                  {/* SMTP — superadmin: globaler Daemon; domain_admin: nur eigene Domain-Statistik */}
+                  {isSuperAdmin ? (
+                    <>
                       <Card>
                         <CardContent className="pt-6 space-y-3">
                           <div className="flex items-center justify-between">
@@ -699,8 +701,6 @@ export default function AdminPage() {
                           )}
                         </CardContent>
                       </Card>
-
-                  {/* SMTP Statistik (nur live via SMTP-Daemon) */}
                       <Card>
                         <CardContent className="pt-6 space-y-3">
                           <div className="flex items-center justify-between">
@@ -726,6 +726,32 @@ export default function AdminPage() {
                           )}
                         </CardContent>
                       </Card>
+                    </>
+                  ) : (
+                    <Card>
+                      <CardContent className="pt-6 space-y-3">
+                        <div className="flex items-center justify-between">
+                          <span className="text-sm font-medium text-muted-foreground">SMTP – meine Domain(s)</span>
+                          <Badge variant="secondary">Tenant</Badge>
+                        </div>
+                        <Separator />
+                        {smtpStatus ? (
+                          <div className="grid grid-cols-2 gap-1 text-sm">
+                            <span className="text-muted-foreground">Domain(s)</span>
+                            <span className="font-mono text-xs">
+                              {smtpStatus.domains?.length > 0 ? smtpStatus.domains.join(", ") : "–"}
+                            </span>
+                            <span className="text-muted-foreground">Archivierte Mails</span>
+                            <span className="font-semibold">{smtpStatus.total_mails?.toLocaleString("de-DE") ?? "–"}</span>
+                            <span className="text-muted-foreground">Speicher</span>
+                            <span>{smtpStatus.total_bytes ? formatBytes(smtpStatus.total_bytes) : "–"}</span>
+                          </div>
+                        ) : (
+                          <p className="text-sm text-muted-foreground">Keine Daten</p>
+                        )}
+                      </CardContent>
+                    </Card>
+                  )}
 
                   {/* Archiv-Speicher */}
                   <Card>
@@ -753,8 +779,8 @@ export default function AdminPage() {
                   </Card>
                 </div>
 
-                {/* System Stats: CPU, RAM, Disks, Archivzeitraum */}
-                <div className="space-y-4">
+                {/* System Stats: nur für superadmin */}
+                {isSuperAdmin && <div className="space-y-4">
                   <h3 className="text-sm font-semibold text-muted-foreground uppercase tracking-wide">Systemauslastung</h3>
                   {!systemStats ? (
                     <Alert variant="destructive">
@@ -885,10 +911,10 @@ export default function AdminPage() {
                       )}
                     </>
                   )}
-                </div>
+                </div>}
 
-                {/* IP-Allowlist */}
-                {smtpStatus && smtpStatus.allowed_ips?.length > 0 && (
+                {/* IP-Allowlist — nur superadmin */}
+                {isSuperAdmin && smtpStatus && smtpStatus.allowed_ips?.length > 0 && (
                   <Card>
                     <CardContent className="pt-6 space-y-2">
                       <span className="text-sm font-medium text-muted-foreground">SMTP IP-Allowlist</span>
@@ -978,7 +1004,7 @@ export default function AdminPage() {
                       <TableHead className="w-24">Autostart</TableHead>
                       <TableHead className="w-28">Externer Zugriff</TableHead>
                       <TableHead>Beschreibung</TableHead>
-                      <TableHead className="w-72 text-right">Aktionen</TableHead>
+                      {isSuperAdmin && <TableHead className="w-72 text-right">Aktionen</TableHead>}
                     </TableRow>
                   </TableHeader>
                   <TableBody>
@@ -1029,6 +1055,7 @@ export default function AdminPage() {
                           <TableCell className="text-sm text-muted-foreground truncate max-w-xs">
                             {svc.description || "–"}
                           </TableCell>
+                          {isSuperAdmin && (
                           <TableCell className="text-right">
                             <div className="flex justify-end gap-1 flex-wrap">
                               {isActive ? (
@@ -1102,6 +1129,7 @@ export default function AdminPage() {
                               )}
                             </div>
                           </TableCell>
+                          )}
                         </TableRow>
                       );
                     })}