docs: Document mail server DNS and firewall fixes

- BIND zone was returning internal IP (192.168.255.1) instead of public IP
- Added IPv6 AAAA records to BIND zone and Gandi DNS
- Fixed nftables forward_wan chain blocking DNAT'd mail traffic
- Added mail port forwarding rules for both IPv4 and IPv6
- Documented Free ISP inbound port 25 blocking issue

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

.claude/WIP.md

@@ -109,6 +109,28 @@ _Last updated: 2026-02-07_
   - Fix: Added `mailctl fix-ports` command to enable all mail ports
   - Also added password reset for mail users in LuCI dashboard
 
+- **BIND Zone Returning Internal IP** — RESOLVED (2026-02-07)
+  - Root cause: `/etc/bind/zones/secubox.in.zone` had 192.168.255.1 (internal) instead of public IP
+  - External DNS queries returned non-routable internal IP
+  - Fix: Updated zone file with public IP 82.67.100.75 for all records
+
+- **IPv6 DNS Support** — DONE (2026-02-07)
+  - Added AAAA records to BIND zone and Gandi DNS
+  - IPv6: `2a01:e0a:dec:c4e0:250:43ff:fe84:fb2f`
+  - Records: @, mail, ns0, ns1, wildcard
+
+- **nftables Mail Forwarding Rules** — DONE (2026-02-07)
+  - Root cause: nftables `forward_wan` chain blocked DNAT'd mail traffic
+  - iptables DNAT worked but nftables dropped packets before forwarding
+  - Fix: Added explicit accept rules for mail ports (25,143,465,587,993,995)
+  - Added both IPv4 and IPv6 forwarding rules
+  - Persisted in `/etc/firewall.user`
+
+- **Inbound Port 25 Blocked by Free ISP** — KNOWN ISSUE
+  - Free ISP blocks inbound port 25 on residential lines
+  - Outbound mail works, inbound from external fails
+  - Workaround options: VPS relay, Mailgun/SendGrid, or contact Free support
+
 ### Just Completed
 
 - **Unified Backup Manager** — DONE (2026-02-05)