Fortigate – No mail from Groupwise servers when TLS inspection is enabled.

As of FortiOS v4 MR3 patch1 the Fortigate has the ability to inspect TLS encrypted SMTP traffic (port 25). When SMTPS is selected in the protocol options this enables TLS inspection on port 25 (this can be confusing as you would expect this setting to only inspect traffic on port 465).

When TLS inspection is enabled for incoming mail there have been cases where mail from some domains doesn’t flow. Specifically mail from Groupwise servers will not complete when this is enabled (although there may be other servers as yet to be identified as well). On the Groupwise server logs you’ll often see a 420 TCP error.  A common workaround has been to disable UTM for the SMTPS protocol, but without another spam solution in place this is undesirable. It may be preferable to disable sending of empty fragments which Groupwise seems to dislike.

#config firewall ssl setting
#set ssl-send-empty-frags disable
#end

Leave a Reply