Thomas, I just implemented VirusWall, but in a different configuration than you have.
I think you should start by turning off the "Disable insertion of InterScan "Received:" header when processing messages". This is on the Advanced Options of the GUI, or in the intscan.ini in the [EMail-Scan] section by setting DisabledReceivedHeader=no. Then put in an IPBYPASS for that IP, which you say is 10.0.0.14 I'll have to leave it to others to comment on how this will affect your SPAMDOMAINS test. And FWIW, the Trend Micro InterScan VirusWall SMTP module does not "gateway the TCP connection". It is a normal mail relay. It behaves as a normal MTA, receiving the entire message and committing it to disk before it scans the message for a virus. The confusing bit is that it happens to have a feature that it can happily forward mail to any port you specify (instead of just tcp/25), which is a convenience for many who want to run the VirusWall on the same box as their usual MTA. More implementation notes (off topic): - Trend doesn't do a sterling job of organizing the updates to this product. I found it necessary to make several tickets with their support desk and as a result applied: - the latest VSAPI engine 6.510-1002 - isnt3.53_servicepack_au1.32_b1000.zip to get the latest ActiveUpdate software - ISNTHotFix_B1563.zip to fix the logging of the inbound message action And the following changes to the intscan.ini to turn on silently quarantining the whole message if a virus is found in an inbound message (this is documented in the readme.txt): [EMail-Scan] HoldInfectedInboundMsgs=Yes I advise turning off this restrictive behaviour to prevent false positives in Trend Micro Solution ID 13509: [EMail-Scan] AllowMultiContentType=yes (default is no) VirusWall has the default behaviour of throttling the mail if there are more than 20 bad attempts to address mail through it. You'll want to set it to whatever number you feel comfortable with (note, these entries must be created): [EMail-Scan] MaxInServerTryCount=0 (default is 20) MaxOutServerTryCount=0 (default is 20) Andrew 8) -----Original Message----- From: Thomas Kishel [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2003 7:05 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] IPBYPASS not working Scott, > The question here is "What do you want IPBYPASS to do"? We are using TrendMicro's VirusWall in front of our IMail server. It's SMTP service appears to gateway a tcp connection between the sending and receiving mail servers. Therefore, IMail sees incoming connections with the sending server representing itself with its configured host name but with the IP address of the gateway. I have configured Declude (1.75) to IPBYPASS that address, but the SPAMDOMAINS test always fails. Are my expectations unrealistic considering my environment, or is SPAMDOMAINS not honoring IPBYPASS? -- Topology: Internet -> Firewall [(NAT) 208.20.231.2 -> 10.0.0.2] -> TrendMicro VirusWall [10.0.0.14] -> Declude-IMail [10.0.0.4] -- Headers: Received: from web80703.mail.yahoo.com [10.0.0.14] by email.meridiancg.com (SMTPD32-8.00) id AD711A3011C; Wed, 06 Aug 2003 09:06:57 -0400 Message-ID: <[EMAIL PROTECTED]> Received: from [208.20.231.2] by web80703.mail.yahoo.com via HTTP; Wed, 06 Aug 2003 06:09:53 PDT Date: Wed, 6 Aug 2003 06:09:53 -0700 (PDT) From: Thomas Kishel <[EMAIL PROTECTED]> Subject: Test -- Declude Log: 08/06/2003 09:06:59 Qfd7101a3011ca7cd Msg failed SPAMDOMAINS (Spamdomain 'yahoo.com' found: Address of [EMAIL PROTECTED] sent from invalid .). Action=LOG. 08/06/2003 09:06:59 Qfd7101a3011ca7cd Subject: Test 08/06/2003 09:06:59 Qfd7101a3011ca7cd From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 10.0.0.14 ID: -- IMail Log: SMTPD (01A3011C) [10.0.0.4] connect 10.0.0.14 port 42167 SMTPD (01A3011C) [10.0.0.14] HELO web80703.mail.yahoo.com SMTPD (01A3011C) [10.0.0.14] MAIL FROM:<[EMAIL PROTECTED]> SMTPD (01A3011C) [10.0.0.14] RCPT TO:<[EMAIL PROTECTED]> -- Thomas Kishel, Department Head - Systems Larson Texts, Inc. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
