From d292fb0307705d9fbe6ad63898ca3ba9fcf269c0 Mon Sep 17 00:00:00 2001 From: Wayne Hayes Date: Thu, 11 Jun 2026 20:45:53 -0400 Subject: [PATCH] docs(CLAUDE): drop stale 'container has no IPv6' claim; align with LESSONS 8-9 The sidecar gained real IPv6 egress (commit 34422ba / LESSONS.md 9), but the outbound pitfall still asserted 'no IPv6 / no AAAA->A fallback'. Reword to reflect the fix while keeping the tailnet-relay guidance. Co-Authored-By: Claude Opus 4.8 --- CLAUDE.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/CLAUDE.md b/CLAUDE.md index e7ca12c..f972dbb 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -81,10 +81,12 @@ healthcheck, ephemeral OAuth auth). Don't drift it. Tag: `tag:stalwart`. re-init. And never test a password over `127.0.0.1` against these Postgres containers: pg_hba `trust`s loopback and accepts ANY password. Test over the tailnet (scram) or you'll fool yourself. -- **Outbound :25 is usually blocked on VPS.** Set `STALWART_SMARTHOST`. The - relay address **must be an IPv4 literal or a tailnet IP** — never a dual-stack - hostname. The container has no IPv6 and will not fall back from AAAA to A; - relaying over the tailnet (`100.x:587`) also bypasses all VPS SMTP port blocks. +- **Outbound :25 is usually blocked on VPS.** Set `STALWART_SMARTHOST`, and + prefer relaying over the tailnet (`100.x:587`) — it bypasses the VPS SMTP-port + blocks and, having no AAAA, sidesteps the v6-first trap. The sidecar now has + its **own IPv6 egress** (LESSONS.md 9), so dual-stack targets resolve too; + before that fix an AAAA-only path would hang (`os error 101`) with no fallback + to A. See LESSONS.md 8–9. - **Mail forces WAN ports.** `:25` must be world-reachable for inbound federation — this is the one place the tailnet-only model can't hold. Keep submission/IMAP tailnet-only if you want a tighter surface.