First, thank you for providing the community with such a robust and helpful project!

The Docker image already uses node:alpine but runs the SMTP2Graph process as root. To reduce the attack surface while keeping the existing base image, the container should run as a non-root user and include SMTP-specific guidance for handling privileged ports.

Key points to consider:

• Do not run the process as root (use the built-in 'node' user or create a dedicated non-root user; e.g., USER node or USER 65532:65532).
• Ensure correct ownership/permissions for application directories (e.g., /app, temp/cache/log paths) so the non-root user can read/write as needed.
• If privileged ports (below 1024, e.g., 25, 465, 587) are needed, the container should listen on higher ports (e.g., 2525, 2465, 2587) and map them to standard ports using Docker's port mapping (e.g., 25:2525, 465:2465, 587:2587). Provide examples for docker run and docker-compose.
• Alternatively, if binding to privileged ports inside the container is unavoidable, CAP_NET_BIND_SERVICE or sysctl net.ipv4.ip_unprivileged_port_start=0 can be used (see Docker run flags).
• Update the Dockerfile and documentation accordingly with SMTP-specific recommendations.

Proposal:

• Keep node:alpine as the base image.
• Run the service as a non-root user.
• Document SMTP-specific port mapping and alternatives for privileged ports.
• Optional future improvement: evaluate distroless as a separate follow-up.