diff --git a/decnet/templates/smtp/Dockerfile b/decnet/templates/smtp/Dockerfile
index 68d28efa..d8a695c0 100644
--- a/decnet/templates/smtp/Dockerfile
+++ b/decnet/templates/smtp/Dockerfile
@@ -20,5 +20,6 @@ RUN useradd -r -s /bin/false -d /opt logrelay \
 HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
   CMD kill -0 1 || exit 1
 
-USER logrelay
+# Entrypoint runs as root so it can fix quarantine dir permissions before
+# dropping to logrelay via su.
 ENTRYPOINT ["/entrypoint.sh"]
diff --git a/decnet/templates/smtp/entrypoint.sh b/decnet/templates/smtp/entrypoint.sh
index c830b733..528bdacf 100644
--- a/decnet/templates/smtp/entrypoint.sh
+++ b/decnet/templates/smtp/entrypoint.sh
@@ -1,3 +1,12 @@
 #!/bin/bash
 set -e
-exec python3 /opt/server.py
+
+# Fix quarantine dir permissions before dropping privileges — the dir is
+# bind-mounted from the host (owned by the decnet user) and must be writable
+# by the logrelay process inside the container.
+if [ -n "$SMTP_QUARANTINE_DIR" ]; then
+    mkdir -p "$SMTP_QUARANTINE_DIR"
+    chmod 0777 "$SMTP_QUARANTINE_DIR"
+fi
+
+exec su -s /bin/sh logrelay -c "exec python3 /opt/server.py"