docs(CLAUDE): drop stale 'container has no IPv6' claim; align with LESSONS 8-9

The sidecar gained real IPv6 egress (commit 34422ba / LESSONS.md 9), but the
outbound pitfall still asserted 'no IPv6 / no AAAA->A fallback'. Reword to
reflect the fix while keeping the tailnet-relay guidance.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

CLAUDE.md

@@ -81,10 +81,12 @@ healthcheck, ephemeral OAuth auth). Don't drift it. Tag: `tag:stalwart`.
   re-init. And never test a password over `127.0.0.1` against these Postgres
   containers: pg_hba `trust`s loopback and accepts ANY password. Test over the
   tailnet (scram) or you'll fool yourself.
-- **Outbound :25 is usually blocked on VPS.** Set `STALWART_SMARTHOST`. The
+- **Outbound :25 is usually blocked on VPS.** Set `STALWART_SMARTHOST`, and
-  relay address **must be an IPv4 literal or a tailnet IP** — never a dual-stack
+  prefer relaying over the tailnet (`100.x:587`) — it bypasses the VPS SMTP-port
-  hostname. The container has no IPv6 and will not fall back from AAAA to A;
+  blocks and, having no AAAA, sidesteps the v6-first trap. The sidecar now has
-  relaying over the tailnet (`100.x:587`) also bypasses all VPS SMTP port blocks.
+  its **own IPv6 egress** (LESSONS.md 9), so dual-stack targets resolve too;
+  before that fix an AAAA-only path would hang (`os error 101`) with no fallback
+  to A. See LESSONS.md 8–9.
 - **Mail forces WAN ports.** `:25` must be world-reachable for inbound
   federation — this is the one place the tailnet-only model can't hold. Keep
   submission/IMAP tailnet-only if you want a tighter surface.