diff --git a/src/Security/MailAccessChecker.php b/src/Security/MailAccessChecker.php
new file mode 100644
index 0000000..aa5073a
--- /dev/null
+++ b/src/Security/MailAccessChecker.php
@@ -0,0 +1,53 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Security;
+
+use App\Entity\User;
+use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
+use Symfony\Component\Security\Core\Exception\AccessDeniedException;
+use Symfony\Component\Security\Core\User\UserInterface;
+
+final readonly class MailAccessChecker
+{
+    public function __construct(
+        private AuthorizationCheckerInterface $authorizationChecker,
+    ) {}
+
+    /**
+     * Verifie que l'utilisateur courant peut acceder aux endpoints mail.
+     * Autorise : ROLE_USER, ROLE_ADMIN.
+     * Refuse : ROLE_CLIENT pur (sans ROLE_ADMIN), non authentifie.
+     *
+     * @throws AccessDeniedException
+     */
+    public function ensureCanAccessMail(?UserInterface $user): void
+    {
+        if (!$user instanceof User) {
+            throw new AccessDeniedException('Authentication required');
+        }
+
+        $roles = $user->getRoles();
+
+        if (in_array('ROLE_CLIENT', $roles, true) && !in_array('ROLE_ADMIN', $roles, true)) {
+            throw new AccessDeniedException('Mail not accessible to clients');
+        }
+
+        if (!in_array('ROLE_USER', $roles, true) && !in_array('ROLE_ADMIN', $roles, true)) {
+            throw new AccessDeniedException('ROLE_USER required');
+        }
+    }
+
+    /**
+     * Verifie que l'utilisateur est ROLE_ADMIN.
+     *
+     * @throws AccessDeniedException
+     */
+    public function ensureIsAdmin(?UserInterface $user): void
+    {
+        if (!$user instanceof User || !$this->authorizationChecker->isGranted('ROLE_ADMIN')) {
+            throw new AccessDeniedException('Admin only');
+        }
+    }
+}