Some non obvious "bad" ways of configuring surgemail are described here:
SPF and ORBS (and other) spam control techniques make use of the senders IP address to identify spam. If you place a virus wall virus filter in front of surgemail, surgemail will see the IP address of the "virus wall" scanner for all the inbound mail making the use of SPF entirely useless.
If you do wish to use an external smtp virus scanner, instead use surgemails ability to pass mail through an external smtp virus scanner.
A second reason this is a bad idea is that in almost all cases the virus scanner will accept mail for all addresses at your domain including invalid accounts. This is almost as bad as having a fallback address setup as it will get your server listed as an easy target for spammers and you will receive lots of spam that takes up lots of your bandwidth.
It is a bad idea to send warnings emails to the "senders" of infected messages. Almost all modern viruses and trojans use fake mail from addresses. This means that you send out these warnings to fake addresses and as a result get your own server blacklisted by places like Spamcop for the sending of spam.
The same holds for the "to addresses" for mail coming from trusted computers (eg relaying or using smtp authentication).
If you use SPF you should avoid most of the problem of fake addresses coming in from the internet but does not affect mail coming from trusted computers.