[mailman] Add script to enable DMARC mitigation

This script is added to implement
https://pagure.io/fedora-infrastructure/issue/11427

The script was already executed on staging environment and finished without
issue. It could be executed multiple times and only affects list that don't have
the settings set yet. I will document this as another step to take when creating
a new list.

Signed-off-by: Michal Konecny <mkonecny@redhat.com>

roles/mailman3/files/enable_dmarc_mitigation.py

@@ -0,0 +1,73 @@
+#!/usr/bin/python3
+
+"""
+This script is for enabling DMARC mitigation in mailman3 for
+any list that doesn't have the policy enabled.
+For more info about DMARC mitigation in mailman3 see
+https://docs.mailman3.org/projects/mailman/en/latest/src/mailman/handlers/docs/dmarc-mitigations.html
+
+For more info why Fedora is doing this see
+https://pagure.io/fedora-infrastructure/issue/11427
+
+The script will set dmarc_mitigate related columns
+in `mailman` table to preferred values.
+"""
+
+import configparser
+import psycopg2
+
+MAILINGLIST_TABLE = "mailinglist"
+DMARC_MITIGATE_ACTIONS = {
+    "no_mitigation": 0,
+    "munge_from": 1,
+    "wrap_message": 2,
+    "reject": 3,
+    "discard": 4
+}
+# Default DMARC values we want to set
+DEFAULT_DMARC_MITIGATE_ACTION = 1  # munge_from option
+DEFAULT_DMARC_MITIGATE_UNCONDITIONALLY = True  # Apply to everything
+
+# Read the database information from mailman config
+config = configparser.ConfigParser()
+config.read('/etc/mailman.cfg')
+db_connect_url = config["database"]["url"]
+conn = psycopg2.connect(db_connect_url)
+
+try:
+    with conn.cursor() as cursor:
+        # Obtain all mailing lists that don't have DMARC mitigation enabled
+        cursor.execute(
+            "SELECT id FROM {} WHERE dmarc_mitigate_action={}".format(
+                MAILINGLIST_TABLE, DMARC_MITIGATE_ACTIONS["no_mitigation"]
+            )
+        )
+        rows = cursor.fetchall()
+        update_data = []
+        for row in rows:
+            update_data.append(row[0])
+
+        print("Will update {0} rows".format(len(update_data)))
+        # Update DMARC mitigation action
+        for row_id in update_data:
+#            print(
+#                "UPDATE {0} SET dmarc_mitigate_action = {1}, dmarc_mitigate_unconditionally = {2} WHERE id = {3}".format(
+#                    MAILINGLIST_TABLE,
+#                    DEFAULT_DMARC_MITIGATE_ACTION,
+#                    DEFAULT_DMARC_MITIGATE_UNCONDITIONALLY,
+#                    row_id
+#                )
+#            )
+            cursor.execute(
+                "UPDATE {0} SET dmarc_mitigate_action = {1}, dmarc_mitigate_unconditionally = {2} WHERE id = {3}".format(
+                    MAILINGLIST_TABLE,
+                    DEFAULT_DMARC_MITIGATE_ACTION,
+                    DEFAULT_DMARC_MITIGATE_UNCONDITIONALLY,
+                    row_id
+                )
+            )
+
+        conn.commit()
+    print("Updated rows: {}".format(len(update_data)))
+except (Exception, psycopg2.DatabaseError) as error:
+    print(error)

roles/mailman3/tasks/main.yml

@@ -539,7 +539,9 @@
     owner: root
     group: root
     mode: 0755
-  tags: mailman
+  tags:
+    - mailman
+    - scripts
 
 - name: Install the scripts
   ansible.builtin.copy:
@@ -548,11 +550,23 @@
     owner: root
     group: root
     mode: 0755
-  tags: mailman
+  tags:
+    - mailman
+    - scripts
+    - dmarc
   with_items:
   - mailman-sar.py
   - migrate_fedora_auth.py
   - generate_search_index.py
+  - enable_dmarc_mitigation.py
+
+- name: Run the DMARC mitigation script
+  ansible.builtin.script:
+    cmd: "{{ mailman_webui_basedir }}/bin/enable_dmarc_mitigation.py"
+  tags:
+    - mailman
+    - scripts
+    - dmarc
 
 - name: Install the staging-sync script
   ansible.builtin.copy: