feat(mta): healthcare HOT-stream Postfix setup (dedicated hc IPs, isolated)

Adds 3 hc submission ports (2526/2527/2528) in the single Postfix instance,
each content_filter'd onto a dedicated hc transport (hcout1/2/3) binding the
hc IPs .107/.108/.109 with hc HELO identity (hcmta01-03) and hotter concurrency.
listmonk-hc round-robins the 3 ports.

Discovered + documented the constraint that drove this shape: transport_maps
randmap is owned by the shared trivial-rewrite(8) and is global, so neither a
per-smtpd -o transport_maps nor a FILTER randmap:{...} can scope a separate IP
pool (FILTER parses randmap as a literal transport). content_filter=hcoutN:
(empty nexthop) overrides transport_maps and keeps the real recipient domain.

Verified end-to-end on the server: :2527 -> hcout2 (.108) -> real gmail MX;
trucking transport_maps (.94-.96) untouched. Idempotent, postfix-check gated
with auto-rollback.

infra/postfix/hc_stream_setup.sh

@@ -0,0 +1,109 @@
+#!/bin/bash
+# Healthcare HOT-stream Postfix setup (dual-stream design).
+#
+# Goal: inject the healthcare campaign on a path that egresses ONLY from the
+# dedicated hc sending IPs (.107/.108/.109 with hc HELO identity), completely
+# separate from the trucking rotation pool (.94-.96), in a SINGLE Postfix
+# instance.
+#
+# Why this shape: source-IP round-robin inside one Postfix instance normally
+# comes from `transport_maps = randmap:{...}`, but that is owned by the shared
+# trivial-rewrite(8) daemon and is GLOBAL -- a per-smtpd `-o transport_maps`
+# does not override it, and a `FILTER randmap:{...}` action is parsed as a
+# literal transport (verified: "connect to transport private/randmap: not
+# found"). FILTER only accepts a real transport:nexthop.
+#
+# So we pin ONE hc IP per submission port and let listmonk-hc round-robin across
+# the three ports (Listmonk natively round-robins its configured SMTP servers):
+#
+#   listmonk-hc SMTP server 1 -> :2526 --content_filter--> hcout1 (.107, hcmta01)
+#   listmonk-hc SMTP server 2 -> :2527 --content_filter--> hcout2 (.108, hcmta02)
+#   listmonk-hc SMTP server 3 -> :2528 --content_filter--> hcout3 (.109, hcmta03)
+#
+# `content_filter=hcoutN:` (empty nexthop) re-injects via the hc transport but
+# keeps the ORIGINAL recipient domain, so it delivers to the real recipient MX
+# from the bound hc IP. content_filter overrides the global transport_maps, so
+# hc mail never touches the trucking pool. The trucking smtp:25 path is left
+# completely untouched.
+#
+# Verified end-to-end on the app server: a msg injected on :2527 egressed via
+# hcout2 (bind .108, helo hcmta02) and connected to the real gmail-smtp-in MX;
+# the trucking transport_maps (randmap:{out05,out06,out07} = .94-.96) was
+# unchanged.
+#
+# Idempotent + gated by `postfix check` with auto-rollback (mirrors mta_setup.sh).
+set -euo pipefail
+
+TS=$(date +%s)
+MC=/etc/postfix/master.cf
+
+echo "=== backup (.$TS) ==="
+sudo cp "$MC" "$MC.bak.$TS"
+
+# hc IP pool: port -> (smtp transport name, source IP octet, HELO label)
+# 2526->hcout1/.107, 2527->hcout2/.108, 2528->hcout3/.109
+echo "=== master.cf: add hc submission ports + per-IP transports ==="
+sudo python3 - "$MC" <<'PY'
+import sys
+mc = open(sys.argv[1]).read()
+add = []
+pool = [
+    (2526, 'hcout1', 107, 'hcmta01'),
+    (2527, 'hcout2', 108, 'hcmta02'),
+    (2528, 'hcout3', 109, 'hcmta03'),
+]
+if 'hcout1 unix' not in mc:
+    add.append('')
+    add.append('# === Healthcare HOT stream (dual-stream design) ===')
+    add.append('# One submission port per hc IP; listmonk-hc round-robins the ports.')
+    add.append('# FILTER forces each port onto its hc transport, overriding the global')
+    add.append('# trucking transport_maps so hc mail never uses the .94-.96 pool.')
+    for port, name, octet, helo in pool:
+        # Submission listener: tag every message with FILTER -> the hc transport.
+        add += [
+            '%d      inet  n       -       y       -       -       smtpd' % port,
+            '  -o syslog_name=postfix/hcsubmit%d' % octet,
+            '  -o smtpd_client_restrictions=permit_mynetworks,reject',
+            '  -o smtpd_recipient_restrictions=permit_mynetworks,reject_unauth_destination',
+            '  -o smtpd_helo_required=no',
+            '  -o content_filter=%s:' % name,
+        ]
+    for port, name, octet, helo in pool:
+        # The hc smtp transport: bind the hc IP, hc HELO, hotter concurrency.
+        add += [
+            '%s unix - - y - - smtp' % name,
+            '  -o smtp_bind_address=207.174.124.%d' % octet,
+            '  -o smtp_helo_name=%s.performancewest.net' % helo,
+            '  -o syslog_name=postfix/%s' % name,
+            '  -o smtp_destination_concurrency_limit=10',
+            '  -o smtp_destination_rate_delay=0s',
+            '  -o smtp_destination_recipient_limit=20',
+        ]
+    mc = mc.rstrip('\n') + '\n' + '\n'.join(add) + '\n'
+    open(sys.argv[1], 'w').write(mc)
+    print('  master.cf updated (+%d lines)' % len(add))
+else:
+    print('  master.cf already has hc stream (no change)')
+PY
+
+echo "=== hc warmup stamp (drives the listmonk-hc ramp cap) ==="
+[ -f /etc/postfix/hc-warmup-start ] || date +%s | sudo tee /etc/postfix/hc-warmup-start >/dev/null
+echo "  hc-warmup-start: $(sudo cat /etc/postfix/hc-warmup-start)"
+
+echo "=== postfix check (gate) ==="
+if sudo postfix check 2>&1 | grep -viE 'not owned|^$'; then :; fi
+if sudo postfix check >/dev/null 2>&1; then
+  echo "CHECK OK"; sudo postfix reload && echo "RELOADED"
+else
+  echo "CHECK FAILED — rolling back"
+  sudo cp "$MC.bak.$TS" "$MC"
+  sudo postfix reload || true
+  echo "ROLLED BACK"; exit 1
+fi
+
+echo "=== verify ==="
+echo -n "hc transports: "; sudo grep -cE "^hcout[123] unix" "$MC"
+for p in 2526 2527 2528; do
+  echo -n ":$p "; sudo ss -ltn 2>/dev/null | grep -qE ":$p\b" && echo "LISTENING" || echo "(settling)"
+done
+echo "DONE."