Endpoint Protection causing SMTP connections to Azure to go idle and timeout
Hi,
This is a rather technical post, so I don't know if it belongs here or in the "Off-topic - Tech outpost" forum, but I'll start here..
We have developed an SMTP-client/-server application and are running the server on the Microsoft Azure Cloud. Doing this, we found that emails were taking a long time to send--50+ seconds--often timing out and failing. After opening a support call with Microsoft, we have found the causing factor to be an application called "ccApp.exe" (which I believe is part of Symantec Endpoint Protection, and monitors email traffic for viruses[?]). Killing the ccApp process resulted in emails being sent quickly and successfully.
Getting a bit more technical now: Doing a network trace, we can see that when ccApp is not running, our SMTP traffic sends the following commands:
HELO, MAIL, RCPT, MIME, DATA..., QUIT
..however, when ccApp is running, the SMTP traffic looks like this:
HELO, MAIL, RCPT, RSET, <delay 50+ seconds>, RSET, MAIL, RCPT, MIME, DATA..., QUIT
..so I am guessing that ccApp is hooking winsock and injecting SMTP commands into our emails. The problem is that after ccApp sends the first RSET and the server responds OK, nothing happens for 50+ seconds. Azure will kill a connection if it's idle for more than 60 seconds, so this can cause our emails to fail. If ccApp does respond before this 60 second time-out, the second RSET is sent, and with no delay, so too is the rest of the message.
Another thing to note is that if we run our SMTP-server on a machine on our local network, there is *no* delay between the RSETs, and if we run our server on an Azure emulator (running locally), there *is* a 50+ second delay, so it makes it look like the problem is specifically between ccApp and Azure (live or emulated). It should also be noted that when running on Azure, our SMTP-server sits behind a load-balancer.
So, I'm wondering: what is ccApp doing all these 50+ seconds? And is it something a load-balancer could be doing (for example, every time an email is sent to the IP address of our server, the load-balancer will push the request off to one of a number of machines (through a unique private port). Is it possible that ccApp could notice something like this and heuristically freak-out)?
Thank you,
Kind regards,
Eliott