feat(dev-deploy): relay Mailpit to Gmail (Stage 3)

Keep Mailpit as the backend's SMTP submission point and turn on its
relay so OTP/notification mail addressed to the owner reaches a real
Gmail inbox, while everything else stays captured-only.

- mailpit gains --smtp-relay-config + --smtp-relay-matching (default
  non-routable, so an unconfigured stack only captures); relay.conf is
  mounted from a new galaxy-dev-mailpit-config volume
- tools/dev-deploy/mailpit/relay.conf.tmpl + a dev-deploy.yaml step that
  renders it from Gitea secrets (Gmail App Password, never committed)
  and seeds the volume; the GALAXY_DEV_MAIL_RELAY_MATCH var drives the
  relay-matching recipient
- backend SMTP config unchanged (still -> galaxy-mailpit:1025)
- dev-deploy README documents the relay + required secrets/vars

Verified locally: compose config valid; the rendered relay.conf is
accepted by mailpit v1.21.8 (relay + recipient-matching enabled).
Real Gmail delivery is verified at the dev-deploy preview once the
owner sets the secrets.

tools/dev-deploy/mailpit/relay.conf.tmpl

@@ -0,0 +1,18 @@
+# Mailpit SMTP relay upstream — RENDERED AT DEPLOY TIME by
+# .gitea/workflows/dev-deploy.yaml from Gitea Actions secrets, then
+# seeded into the `galaxy-dev-mailpit-config` volume. The Gmail App
+# Password is a secret and MUST NOT be committed: this template only
+# carries ${PLACEHOLDER}s that the workflow substitutes. See
+# tools/dev-deploy/README.md ("Mail").
+#
+# Mailpit captures every message; the `--smtp-relay-matching` flag (set
+# from GALAXY_DEV_MAIL_RELAY_MATCH in the compose) decides which
+# recipients are actually relayed up to this Gmail account.
+host: smtp.gmail.com
+port: 587
+starttls: true
+allow-insecure: false
+auth: login
+username: ${GALAXY_DEV_MAIL_RELAY_USERNAME}
+password: ${GALAXY_DEV_MAIL_RELAY_PASSWORD}
+return-path: ${GALAXY_DEV_MAIL_RELAY_USERNAME}