diff --git a/core/security/enum/const.go b/core/security/enum/const.go
index 74f5f807..58f93fa5 100644
--- a/core/security/enum/const.go
+++ b/core/security/enum/const.go
@@ -38,6 +38,8 @@ const (
 	CommandRead    = "system.command:read"
 	CredentialAll  = "system.credential:all"
 	CredentialRead = "system.credential:read"
+	SmtpServerAll  = "system.smtp_server:all"
+	SmtpServerRead = "system.smtp_server:read"
 
 	InstanceRead = "gateway.instance:read"
 	InstanceAll  = "gateway.instance:all"
@@ -142,6 +144,8 @@ const (
 	PermissionMigrationTaskWrite  = "task:write"
 	PermissionComparisonTaskRead  = "comparison_task:read"
 	PermissionComparisonTaskWrite = "comparison_task:write"
+	PermissionSmtpServerRead = "smtp_server:read"
+	PermissionSmtpServerWrite = "smtp_server:write"
 )
 
 var (
@@ -217,6 +221,8 @@ var (
 	DashboardAllPermission       = []string{PermissionLayoutRead, PermissionLayoutWrite}
 	WorkbenchReadPermission      = []string{PermissionElasticsearchClusterRead, PermissionActivityRead, PermissionAlertMessageRead, PermissionElasticsearchMetricRead}
 	WorkbenchAllPermission       = WorkbenchReadPermission
+	SmtpServerReadPermission      = []string{PermissionSmtpServerRead}
+	SmtpServerAllPermission       = []string{PermissionSmtpServerRead, PermissionSmtpServerWrite}
 )
 
 var AdminPrivilege = []string{
@@ -228,7 +234,7 @@ var AdminPrivilege = []string{
 	ClusterOverviewAll, MonitoringAll, ActivitiesAll,
 	AliasAll, AgentInstanceAll, CredentialAll,
 	DataMigrationAll, DataComparisonAll, DashboardAll, DevtoolConsoleAll,
-	WorkbenchAll, TenantCustomerAll, SubscriptionAll, AuditLogsAll,
+	WorkbenchAll, TenantCustomerAll, SubscriptionAll, AuditLogsAll, SmtpServerAll,
 }
 
 func init() {
@@ -298,6 +304,8 @@ func init() {
 
 		SubscriptionRead: SubscriptionReadPermission,
 		SubscriptionAll:  SubscriptionAllPermission,
+		SmtpServerRead:    SmtpServerReadPermission,
+		SmtpServerAll:      SmtpServerAllPermission,
 	}
 
 }
diff --git a/plugin/api/email/api.go b/plugin/api/email/api.go
index ec986bef..9515131b 100644
--- a/plugin/api/email/api.go
+++ b/plugin/api/email/api.go
@@ -29,6 +29,8 @@ package email
 
 import (
 	log "github.com/cihub/seelog"
+	"infini.sh/console/core"
+	"infini.sh/console/core/security/enum"
 	"infini.sh/console/model"
 	"infini.sh/console/plugin/api/email/common"
 	"infini.sh/framework/core/api"
@@ -38,17 +40,17 @@ import (
 )
 
 type EmailAPI struct {
-	api.Handler
+	core.Handler
 }
 
 func InitAPI() {
 	email := EmailAPI{}
-	api.HandleAPIMethod(api.POST, "/email/server/_test", email.testEmailServer)
-	api.HandleAPIMethod(api.GET, "/email/server/:email_server_id", email.getEmailServer)
-	api.HandleAPIMethod(api.POST, "/email/server", email.createEmailServer)
-	api.HandleAPIMethod(api.PUT, "/email/server/:email_server_id", email.updateEmailServer)
-	api.HandleAPIMethod(api.DELETE, "/email/server/:email_server_id", email.deleteEmailServer)
-	api.HandleAPIMethod(api.GET, "/email/server/_search", email.searchEmailServer)
+	api.HandleAPIMethod(api.POST, "/email/server/_test", email.RequirePermission(email.testEmailServer, enum.PermissionSmtpServerRead))
+	api.HandleAPIMethod(api.GET, "/email/server/:email_server_id", email.RequirePermission(email.getEmailServer, enum.PermissionAlertRuleRead))
+	api.HandleAPIMethod(api.POST, "/email/server", email.RequirePermission(email.createEmailServer, enum.PermissionSmtpServerWrite))
+	api.HandleAPIMethod(api.PUT, "/email/server/:email_server_id",  email.RequirePermission(email.updateEmailServer, enum.PermissionSmtpServerWrite))
+	api.HandleAPIMethod(api.DELETE, "/email/server/:email_server_id",  email.RequirePermission(email.deleteEmailServer, enum.PermissionSmtpServerWrite))
+	api.HandleAPIMethod(api.GET, "/email/server/_search",  email.RequirePermission(email.searchEmailServer, enum.PermissionSmtpServerRead))
 
 	credential.RegisterChangeEvent(func(cred *credential.Credential) {
 		query := util.MapStr{