XWALL Knowledge Base

The following information is knowledge attained by Deltanet technicians through many years of supporting XWALL installations. This information complements the comprehensive online manuals hosted by Dataenter. Many of the issues and ini entries also apply to sister products SMTPBeamer and POPBeamer

SOPHOS and PASSWORD PROTECTED FILES

A password protected PDF or a zip file containing a password protected PDF will by default report positive as a virus.

The solution is to add the following line to the Xwall.ini

VirusScannerExitCode=XxxxxxxxxxxxxxxxXxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

The X at position 16 tells Xwall to ignore error level 16 Sophos provides when it tests a password protected file.

Also note if you are also running SMTPBeamer the same entry needs to be put in the SMTPBeam.ini.

There are a number of cases where password protected files are received and it is a legitimate requirement to allow these through. Eg: Statements from Bank, etrade share certificates, confidential information etc. Obviously if it is really infected then it will be up to the memory resident scanner to capture it.

LOOPING MESSAGES

Add these lines to any SMTPBeamer/Xwall sites in the smtpbeam.ini file, this will resolve incorrectly addressed emails looping between SMTPBeamer and Xwall 20 times.

QueryDNSForLocalUser=False
QueryDNSForLocalUserOnRelay=True

STATISTICS

And if you would like extra stats for SMTPBeamer or XWALL add this line to smtpbeam.ini

AccessStatistic=True

iMate and SMTPBeamer

The client uses NTLM as authentication, but for whatever reason it is not sending the correct user and/or password.

Add the line

OutboundNTLM=False

to SMTPBeam.ini so that NTLM is disabled, and this will force the client should use plain text authentication.

XWALL FAILOVER

Basically SMTP failover with XWall is no problem. You install two or more XWall and configure your MX to point to each XWall. So if the first one is down, then second one will automatically get the message.

Once XWall has the message, the next failover needs to be the Exchange. So you need two or more Exchange servers, each configured to handle all messages.

In XWall you define one Exchange as usual and for the other you add the line

ExchAlias=second.exchange.com to XWall.ini

XWALL – CONSOLE TASK or SERVICE

You should not really run it as a console application, because it is around 30% slower and much more unreliable.

SHUTDOWN XWALL CONSOLE TASK AUTOMATICALLY

Create a file named Quit.sig in the XWall directory

WHAT DOES sls-hdr MEAN ?

Excluded sls-hdr means then header of a message had an IP that is excluded in Options->Spam->Spam->Exclude

SSL/TLS

Start MBAdmin, select View->Options->TLS and add your own certificate and then enable inbound TLS. ( outbound TLS is enabled by default )

If you want to convert your IIS certificate then use the script (from Greg).

HISTORY FILES

To convert a history text file to email format: locate the message in HIST-IN or HIST-OUT and open it Notepad.
You may rename it to *.uue and open it in Winzip.
Or you rename it to *.eml and open it on Outlook Express

VIEWING STATISTICS

Download ESATInformer

SPAM BLOCKING TECHNOLOGIES

Visit these links...

• Bayes
• Greylisting
• SLS
• SPF
• MAPS

SLOW POP COLLECTION

Open the logfile of SMTPBeamer and locate the line that is called "Connection opened by xxxx [10.x.x.x]"

If the xxx is a upper case name or an IP address, then you have no DSN reverse lookup ( PTR ) an this takes some time because SMTPBeamer runs in the DNS timeout every time.

So either fix the PTR ( which is the best, because you get this problem at several programs ) or disable reverse lookup in MBAdmin
View->Options->Advanced

HTML DISCLAIMER

Create a file called odisc-ht.txt and store in the XWALL directory

Only raw html code should be used

Example file
<p>============================================</p> <p><font face="Arial"><i>Deltanet Pty Ltd</i></font></p>

If you would like to add an image, the image must be either external or already in the message itself. Means you can not add a image, simply because XWall is manipulating the HTML text and not the HTML message.

DATABLOC.DAT

Q. I have a Mailbeamer site which has a comprehensive blocked list in databloc.dat which I would like to transfer to Xwall.
I have found Xwall uses InboundBlockAtt the same as Mailbeamer and I can just cut and paste to the xwall.ini but now xwall uses InboundBlockFromAddress and Mailbeamer uses databloc.dat. Is there an easy way to convert this data from Mailbeamer to Xwall?

A. XWall uses the same databloc.dat as Mailbeamer, but InboundBlockFromAddress is not in databloc.dat

Databloc.dat blocks at the SMTP level, InboundBlockFromAddress discard after it has accepted the messages.

DELTANET XWALL.INI SETTINGS

This is what we recommend to add to most installations:

QueryDNSForLocalUser=False
QueryDNSForLocalUserOnRelay=True
AccessStatistic=True
NDRFromAddress=user@domain.com

Add common as well as these
SLS=relays.ordb.org,blackholes.five-ten-sg.com
SLS=sbl.spamhaus.org,blackholes.five-ten-sg.com
SLS=dnsbl.njabl.org,blackholes.five-ten-sg.com
SLS=list.dsbl.org
SLS=spamsources.fabel.dk,blackholes.intersil.net
SLS=formmail.relays.monkeys.com,blackholes.intersil.net
SLS=proxies.relays.monkeys.com,blackholes.intersil.net
SLS=relays.visi.com,blackholes.five-ten-sg.com
SLS=dnsbl.sorbs.net,blackholes.five-ten-sg.com
SLS=bl.spamcop.net,blackholes.five-ten-sg.com
SLS=rbl-plus.mail-abuse.org,blackholes.easynet.nl
SLS=blackholes.five-ten-sg.com,blackholes.easynet.nl
SLS=blackholes.wirehub.net,blackholes.five-ten-sg.com
SLS=china.blackholes.us,blackholes.intersil.net
SLS=china.blackholes.us,blackholes.five-ten-sg.com
SLS=blackholes.intersil.net,blackholes.five-ten-sg.com
SLS=bl.spamcop.net,blackholes.easynet.nl
SLS=flowgoaway.com
SLS=multihop.dsbl.org,blackholes.five-ten-sg.com
SLS=unconfirmed.dsbl.org,blackholes.five-ten-sg.com
SLS=cbl.abuseat.org
SLS=blackholes.easynet.nl,blackholes.five-ten-sg.com
SLS=proxies.blackholes.easynet.nl,blackholes.intersil.net
SLS=spamsources.fabel.dk,china.blackholes.us
SLS=dnsbl.njabl.org,blackholes.intersil.net
SLS=t1.bl.reynolds.net.au,blackholes.intersil.net
SLS=sbl.spamhaus.org,blackholes.intersil.net
SLS=bl.deadbeef.com
SLS=opm.blitzed.org,blackholes.intersil.net
SLS=sbl.spamhaus.org,blackholes.intersil.net
SLS=bl.spamcop.net,blackholes.intersil.net
SLS=china.blackholes.us,blackholes.intersil.net
SLS=spews.bl.reynolds.net.au,china.blackholes.us
SLS=formmail.relays.monkeys.com,blackholes.five-ten-sg.com
SLS=proxies.relays.monkeys.com,blackholes.five-ten-sg.com
SLS=bl.spamcop.net,blackholes.intersil.net
SLS=sbl.spamhaus.org,blackholes.intersil.net
SLS=blackholes.easynet.nl,blackholes.intersil.net