"420 TCP Read" Error Sending to Specific Domains

  • 7007770
  • 23-May-2012
  • 12-Mar-2014


Novell GroupWise 2012
Novell GroupWise
Fortigate firewall appliance
Watchguard firewall appliance


Sending securely to some specific Internet domains is causing messages to delayed and eventually fail.  The GroupWise Internet Agent (GWIA) is returning a "420 TCP Read Error" message in the logs.
Sending in plain text worked successfully.


In this particular case, the receiving SMTP was fronted by a Fortigate 110b appliance/firewall.  It was running in a mode that would scan the incoming SMTP/TLS process.  After setting the appliance to pass through the traffic to the receiving SMTP server directly, the communication completed successfully.

Novell has also seen similar issues with "420 TCP Read" errors with Watchguard firewalls that are configured to inspect SMTP packets.  Removing or disabling the SMTP policy on the firewall allowed the messages to be delivered without error.

Additional Workaround:   For those sites that will require that a message be sent securely to their domain and, therefore, need TLS to remain enabled, send messages destined for those domains to an intermediate mail relay (such as Postfix).


The problem has been narrowed down to sending empty fragments to prevent CBC IV attack, this has to be disabled on the Fortigate settings for TLS inspection to work.


Reported to Engineering