"420 TCP Read" Error Sending to Specific Domains

  • 7007770
  • 23-May-2012
  • 12-Mar-2014

Environment

Novell GroupWise 2012
Novell GroupWise
Fortigate firewall appliance
Watchguard firewall appliance

Situation

Sending securely to some specific Internet domains is causing messages to delayed and eventually fail.  The GroupWise Internet Agent (GWIA) is returning a "420 TCP Read Error" message in the logs.
 
Sending in plain text worked successfully.

Resolution

In this particular case, the receiving SMTP was fronted by a Fortigate 110b appliance/firewall.  It was running in a mode that would scan the incoming SMTP/TLS process.  After setting the appliance to pass through the traffic to the receiving SMTP server directly, the communication completed successfully.

Novell has also seen similar issues with "420 TCP Read" errors with Watchguard firewalls that are configured to inspect SMTP packets.  Removing or disabling the SMTP policy on the firewall allowed the messages to be delivered without error.


Additional Workaround:   For those sites that will require that a message be sent securely to their domain and, therefore, need TLS to remain enabled, send messages destined for those domains to an intermediate mail relay (such as Postfix).

Cause

The problem has been narrowed down to sending empty fragments to prevent CBC IV attack, this has to be disabled on the Fortigate settings for TLS inspection to work.

Status

Reported to Engineering