#!/bin/sh
# Guard against the Jun 24 incident: an unattended reboot dropped the warmed
# sending IPs (.94/.107) off ens18 because classic ifupdown only applies the
# first "address" line. Postfix then fell back to egressing from .71 (NOT in
# SPF, on RLR621/Trend ERS-QIL) for ~37h, tanking deliverability silently.
# This re-binds any missing sending IP and logs/flushes if it had to act.
CHANGED=0
for ip in 207.174.124.72 207.174.124.94 207.174.124.107; do
  if ! ip addr show ens18 | grep -q "$ip/"; then
    ip addr add "$ip/23" dev ens18 && CHANGED=1
    logger -t pw-mail-ip-watchdog "re-bound missing sending IP $ip to ens18"
  fi
done
# Also catch silent bind failures even if the IP looks present.
if tail -n 500 /var/log/mail.log 2>/dev/null | grep -q "Cannot assign requested address"; then
  logger -t pw-mail-ip-watchdog "postfix bind failures detected in recent mail.log"
  CHANGED=1
fi
[ "$CHANGED" = 1 ] && /usr/sbin/postqueue -f 2>/dev/null
exit 0
