What about using "ignored addresses" in webshield to not redirect for the IP of the secure server used? I can't tell which one it is, but it is probably a different IP for the authentication server than for the regular mail server. In other words, redirect the www address IP as usual, don't redirect traffic to the other IPs.