How can I force checks ? - ORF Forums

How can I force checks ? RSS Back to forum



we have a box which is not a backup MX but it's sitting in front of our main mail server and just passes all the emails to main Exchange server.

Orf will accept all the emails without really checking them. Problem is that the other box is on and main mail server is so same subnet.

Is there any way of forcing orf to check all the emails from 248 ?
Thank you

by Bartosz Morawiec 9 years ago

@Bartosz Morawiec: If there is a non-transparent front-end between ORF and the Internet, you should assign all test to the On Arrival filtering point (in the ORF Administration Tool: Configuration / Tests / Tests) and save your settings to apply the changes, so ORF can "look behind" this host ( by checking the headers of incoming emails. For more information, please read our best practices guide at and the "Header Analysis" topic in the ORF Help.

If it still does not work this way, that could mean that something at the front-end removes the delivery path information from the email headers. It is a known issue with ISA servers (, and we have seen similar problems with some firewall appliances as well. If that's the case, you should configure the front-end not to remove the delivery path information, or install ORF on the front-end server (if possible).

by Krisztian Fekete (Vamsoft) 9 years ago
(in reply to this post)


@Krisztian Fekete (Vamsoft): Hi,

those are actual headers from incoming emails:

Received: from mailrelay.local.************.com ( by

SERVER3.local.************.com ( with Microsoft SMTP Server

id; Wed, 30 Jun 2010 15:26:37 +0100

Received: from localhost (localhost []) by

mailrelay.local.************.com (Postfix) with ESMTP id 40A543E51B8 for

; Wed, 30 Jun 2010 15:27:53 +0100 (BST)

Received: from mailrelay.local.************.com ([]) by localhost

(mailrelay.local.************.com []) (amavisd-new, port 10024)

with ESMTP id 6Cmytkrocu88 for ; Wed, 30

Jun 2010 15:27:53 +0100 (BST)

X-Greylist: delayed 165915 seconds by postgrey-1.31 at mailrelay.local.************.com; Wed, 30 Jun 2010 15:27:53 BST

Received: from ( [])

by mailrelay.local.************.com (Postfix) with SMTP id 0A7EB3E51B5

for ; Wed, 30 Jun 2010 15:27:52 +0100 (BST)

Received: from TANGANYIKA.****.com

( [**.**.**.**]) by; Wed, 30 Jun 2010 15:30:23 +0100

Received: from juba.****.com ([**.**.**.**]) by

TANGANYIKA.****.com with Microsoft SMTPSVC(6.0.3790.4675); Wed, 30

Jun 2010 15:30:20 +0100

X-MimeOLE: Produced By Microsoft Exchange V6.5

Content-Class: urn:content-classes:message

MIME-Version: 1.0


Date: Wed, 30 Jun 2010 15:30:19 +0100


X-MS-Has-Attach: yes


Thread-Index: AcsYYMQ4zA8T0POCQzWV9FgmGoiyCw==

From: **** ****

To: **** ****

X-OriginalArrivalTime: 30 Jun 2010 14:30:20.0003 (UTC) FILETIME=[C4551B30:01CB1860]

X-MC-Unique: 110063015302300302

Content-Type: multipart/related;



Return-Path: j****@****.com

So as you can see all the info is preserved in this email

all the tests has been set to "BOTH" but now they have been changed to On Arrival as you mentioned - anything else I can do ?

by Bartosz Morawiec 9 years ago
(in reply to this post)


And one more thing - in "Related IP" i have in 99.999% of time 60.248 ip address and only 5 (five) external IP's which actually has been rejected.

by Bartosz Morawiec 9 years ago

@Bartosz Morawiec: The headers seem to be OK, On Arrival filtering should work... Are you absolutely sure these emails are ignored by ORF? What does the ORF log indicate for these emails in the message column (you can check using the ORF Log Viewer): did they simply "pass checks" or were "whitelisted"?

by Krisztian Fekete (ORF Team) 9 years ago
(in reply to this post)


@Bartosz Morawiec: "And one more thing - in "Related IP" i have in 99.999% of time 60.248 ip address..."

ORF will log the source IP in the "related IP" field only if the IP was related to the event (e.g. an IP found in the header was blacklisted by the DNS Blacklist test). If the email simply passed checks, whitelisted, or the IP was not related to the event (e.g. Keyword Blacklist blacklisted the email), ORF will log the last delivery hop (i.e. the host it received the email from, in your case the 60.248 IP).

"...and only 5 (five) external IP's which actually has been rejected."

That means the filtering works, but your configuration is not optimal. Please send us your current ORF configuration file called orfent.ini and your .log files from the past 1-2 days (orfee-2010-07-28.log, orfee-2010-07-27.log) to . These files are located in the ORF directory by default (Program Files \ ORF Enterprise Edition). Please send us raw .log files, Log Viewer exports are not suitable.

If you agree, I will review your configuration and make some suggestions to improve the filtering efficiency.

by Krisztian Fekete (ORF Team) 9 years ago
(in reply to this post)


I am happy for you to do whatever needed. I will send logs and configurations right now.

by Bartosz Morawiec 9 years ago

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

It will not be published.
hnp1 | hnp2