From ffc3138d2b124432f2a4c9160163f7eae5bba6ef Mon Sep 17 00:00:00 2001
From: CyberMind-FR <gandalf@Gk2.net>
Date: Thu, 5 Feb 2026 12:53:15 +0100
Subject: [PATCH] docs: Document mail port hijacking fix

Firewall DNAT rules were redirecting ALL port 993/587/465 traffic
to local mailserver, blocking external mail server connections.

Fix: Add -i $WAN_IF to only redirect inbound WAN traffic.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 .claude/WIP.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.claude/WIP.md b/.claude/WIP.md
index 4113a8c0..d14bc586 100644
--- a/.claude/WIP.md
+++ b/.claude/WIP.md
@@ -70,6 +70,12 @@ _Last updated: 2026-02-06_
   - Fix: Changed setup.sh to use `lmdb:` prefix and copy resolv.conf to chroot
   - Added `mailctl fix-postfix` command to repair existing installations
 
+- **Mail Port Hijacking External Connections** — RESOLVED (2026-02-06)
+  - Root cause: firewall.user DNAT rules had no interface restriction
+  - ALL port 993/587/etc traffic was redirected to local mailserver
+  - This blocked Thunderbird from connecting to external mail (ssl0.ovh.net)
+  - Fix: Added `-i $WAN_IF` to only redirect inbound WAN traffic
+
 ### Just Completed
 
 - **Unified Backup Manager** — DONE (2026-02-05)