fix(smtp): chmod quarantine dir before dropping to logrelay

The bind-mounted quarantine dir is owned by the host decnet user; the
logrelay process had no write access because the Dockerfile USER directive
pre-applied before the entrypoint could fix permissions.

Run entrypoint as root, chmod 0777 the quarantine dir, then exec the
server under logrelay via su.

decnet/templates/smtp/Dockerfile

@@ -20,5 +20,6 @@ RUN useradd -r -s /bin/false -d /opt logrelay \
 HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
   CMD kill -0 1 || exit 1
 
-USER logrelay
+# Entrypoint runs as root so it can fix quarantine dir permissions before
+# dropping to logrelay via su.
 ENTRYPOINT ["/entrypoint.sh"]

decnet/templates/smtp/entrypoint.sh

@@ -1,3 +1,12 @@
 #!/bin/bash
 set -e
-exec python3 /opt/server.py
+
+# Fix quarantine dir permissions before dropping privileges — the dir is
+# bind-mounted from the host (owned by the decnet user) and must be writable
+# by the logrelay process inside the container.
+if [ -n "$SMTP_QUARANTINE_DIR" ]; then
+    mkdir -p "$SMTP_QUARANTINE_DIR"
+    chmod 0777 "$SMTP_QUARANTINE_DIR"
+fi
+
+exec su -s /bin/sh logrelay -c "exec python3 /opt/server.py"