GWAVA (Secure Messaging Gateway)
Getting IP reputation false positives, some are temp failures and some are blocked. How does it work and how can it be managed?
SMG on SLES uses a different IP reputation service, than SMG on Ubuntu and GWAVA 6.5. The previous service used IP rep. temp fail as a type of grey listing. The current service does not.
When an IP is scanned, it receives a reputation score. To find the score for each IP, it can be found in the smg-smtp log (for connection drop scanning) and in the smg-scanner log for policy scanning.
The slider is broken into 3 parts to allow the floor of the detection range to be lifted above 500 if required. The slider bar, located in the IP reputation settings can be adjusted to Allow, Delay, or Reject IP's based on their score. The default settings are 0% Allow, 20% Delay, and 80% Reject.Log example: 2020-10-07 00:10:58 (IPRP)<321927> IP address x.x.x.x delayed by IP reputation test with score of 500 (min 500)
 2020-10-07 00:10:58 (IPRP)<321927> IP reputation located entry for address: x.x.x.x
 2020-10-07 00:10:58 (SMTP)<321927> Connection will be dropped
 2020-10-07 00:10:58 (SMTP)<321927> [g->c] 554 IP address x.x.x.x rejected [IP reputation tempfail]
The default setting is to treat everything in the 500-600 point range (20% of the slider) with a tempfail, and all above 600 with hard fail. If changes need to be made, here is a helpful chart to determine the best percentage to be used based on what scores need to be Allowed, Delayed, or Rejected:
Scores below 500 are automatically Allowed, so this slider bar starts with a score of 500. Simply subtract 500 to interpret in a range from 0-500, then divide by 5 it gives the percentages:
Real score Normalized Score (-500) Percentage (div 5) Allow 0-750 0-250 0-50% Delay 751-800 251-300 50-60% Reject 801-1000 301-500 60-100%
For example, if this needs to be changed to Allow anything lower than 750, Delay between 751 - 800 and Reject 800 - 1000, then set it like this:
IP reputation can be enabled in two separate locations. It's not necessary to have both enabled. If whitelisting by the domain is needed, it is recommended to use it on the policy level only.
1) Organization / Policy Management | Policy scan configuration | Inbound Mail Filter Policy (or the name of the policy that handles inbound email).Note: It's recommended to link it with the Spam Filter Group, that way if there is a current whitelist linked there, domains can be added to this list easily. If a separate whitelist is needed to only apply to IP reputation, than do not add it to the Spam Filter Group.2) Module Management | Interfaces | SMTP Interface Manager | SMTP Interface | Connection Drop services:
If whitelisting is needed, here are a couple of options: