OpenSSL Error when internal DKIM verification is enabled

[ulwanski]

I have an error for some emails, when internal DKIM verification is enabled. Content of mail is not loading, Roundcube shows general error message instead.

Roundcube log this error in syslog:

May  1 15:44:14 mail roundcube: PHP Warning:  fgets(): SSL operation failed with code 1. OpenSSL Error messages:
May  1 15:44:14 mail roundcube: error:04091068:rsa routines:int_rsa_verify:bad signature in /opt/roundcubemail-1.3.9/program/lib/Roundcube/rcube_imap_generic.php on line 204

if only problem is a bad signature, should't Roundcube just show red mark next to this mail, instead throw error?

Mail has signature:

DKIM-Signature: v=1; q=dns/txt; a=rsa-sha256; c=relaxed/relaxed; s=1000073432; d=auth.ccsend.com; h=date:mime-version:subject:X-Feedback-ID:message-id:from:reply-to:list-unsubscribe:list-unsubscribe-post:to; bh=ALSoH0ZNnHy/3dUdsd5tJo2mABE0XzVtM9Ql1LMXxgE=; b=J7pE3Fbwm3z+k6S0+TcY0Jw2d82gvSKBJC3I31Gwxil6x/ogDI6MI9B3Rtahtwd8Uw+vFYGakj19m02ZHN7S6zyno2YFuJddGJjCpNp2Luv2IjGlJkbniuwqBs2banU6ZlrfSDpiTPESNy0lwtdQ2NX9wr5lyfMrg4skQkDcM2Q=

When "Use internal DKIM verifier" is disabled, mail status is Signature found but no auth. results header. Server configuration problem?.

PHP version:

PHP 7.3.4-1+0~20190412071350.37+stretch~1.gbpabc171 (cli) (built: Apr 12 2019 07:13:50) ( NTS )

[PHP Modules]
apcu
bz2
calendar
Core
ctype
date
dom
exif
fileinfo
filter
ftp
gd
gettext
hash
iconv
imagick
imap
intl
json
ldap
libxml
mbstring
mysqli
mysqlnd
openssl
pcntl
pcre
PDO
pdo_mysql
pdo_pgsql
pdo_sqlite
pgsql
Phar
posix
readline
Reflection
session
shmop
SimpleXML
sockets
sodium
SPL
sqlite3
standard
sysvmsg
sysvsem
sysvshm
tokenizer
wddx
xml
xmlreader
xmlwriter
xsl
Zend OPcache
zip
zlib

[Zend Modules]
Zend OPcache

[pimlie]

Thanks for the report. Not sure unfortunately whats going on, the first thought I had was that your mail server is using an invalid ssl certificate so when we try to retrieve the full message body from the imap server it fails. But if thats the case then the whole webmail shouldnt be working? Unless you set a stream context to disable the certificate check and stumbled upon a roundcube bug that it doesnt apply that stream context on this api call.

Does your mail server log anything about this at the same time?

[ulwanski]

@pimlie thanks for answer. No any other logs for this bug, I tried to turn debug on but nothing relevant is showing up. My server has a valid certificate for sure. This is reveal only for certain mails.

This mail for example triggers this bug: New Wi-Fi Modules, LNA and Power Amplifiers for Wireless Infrastructure & CATV Systems.zip

[dirkmittler]

Hello.

I would also appreciate the use of this plug-in, precisely because my ISP's IMAP servers never verify the DKIM. Therefore, the thing for me to do is, to enable the fallback DKIM verifier. However, if I do that, then the header in the GUI displays that DKIM signatures are often valid, but the body of the email does not display - for any email I choose. And this is what I get in the file '/var/log/roundcube/errors':

[03-Aug-2020 21:54:55 America/New_York] PHP Warning: fgets(): SSL operation failed with code 1. OpenSSL Error messages:
error:0906D06C:PEM routines:PEM_read_bio:no start line
error:0906D06C:PEM routines:PEM_read_bio:no start line in /usr/share/roundcube/program/lib/Roundcube/rcube_imap_generic.php on line 205

I'm using PHP version 7.0.33 and Roundcube version 1.2.3 .

There is a high probability that I'm doing something wrong myself.

Thanks for any tips,
Dirk

[dirkmittler]

(Sorry to bump.)

Hypothesis:

If I had to guess what might be happening, my guess would be, that when the fallback DKIM validator fetches the message body from the IMAP-server, in order to compute the hash, no cache of that message body is stored, so that a second attempt to fetch it - to display the body itself - tries to start at the end of the email. This might be what results in the message that, the subsequent stream "Has No First Line".

Either cache the message body, as the headers were cached, or fetch the entire email a second time.

Update Aug 5, 2020:

I had earlier mistakenly believed, that I had set the 'imap_cache' to 'db', as a test. But, I am using the SQLite database option, and had the parameter set to (null) the whole time. When I do set this parameter, if I turn the fallback DKIM validator on, I get an explicit error message telling me that the message could not be retrieved from the server.

(Update)

I have now decided that I will want some form of IMAP caching, and have chosen to install 'memcached' as my preferred method. Since the feature does not support caching activated by the user, I have locked the fallback DKIM validation to (false). I suppose I will need to rely on my ISP's validation results in the future.

Dirk