Logging Outgoing Emails - ORF Forums

Logging Outgoing Emails RSS Back to forum

1

Latest ORF installment.
Exchange 2016 CU2 (Co-Existence with Exchange 2010 SP3)

Is there any reason why ORF is logging all outgoing emails?
Its an intermediate so that's what it shows. It always showed the auto-sender list additions, but this isn't those.
1. If I send email to someone else on the same server, it gets logged.
2. If I send email to anyone outside the organization, it gets logged.
3. If someone sends from Exchange 2010 to someone else on Exchange 2010, it doesn't get logged with ORF on that server.

Thanks,
Jean

by Jean 8 years ago
2

@Jean: Hello Jean,

When emails are relayed from one mail server to another (e.g. to a front-end server) within your organization, ORF may "see" the internal or outbound traffic on the receiving server as inbound and log them accordingly. Emails originating from Class A (10.0.0.0 - 10.255.255.255), Class B (172.16.0.0 - 172.31.255.255) and C (192.168.0.0 - 192.168.255.255) private intranet address ranges (and from the local host 127.0.0.1) are whitelisted automatically to avoid filtering intranet or outbound emails, thus you might find whitelist entries logged for such emails in the ORF logs. This is when you see the message "Email whitelisted (email from a trusted intermediate host or intranet)."

Does the above explain what you are experiencing?

by Daniel Novak (Vamsoft) 8 years ago
(in reply to this post)

3

@Daniel Novak (Vamsoft): Not really, but I might have detected something.

Our frontend receiver is 10.0.0.30. The same server's primary IP is 10.0.0.11. When people on the server send email to each other the "Related IP" is getting logged under 10.0.0.11.

So maybe ORF is logging these cause they are probably going from 10.0.0.11 to 10.0.0.30 between receive connectors on same machine?

I haven't send anything logged under "Related IP" of 10.0.0.30 yet.

by Jean 8 years ago
(in reply to this post)

4

@Jean: I take that back. I am seeing 10.0.0.30 "Related IP" sending emails to itself. This IP is our SMTP frontend receiver.

by Jean 8 years ago
(in reply to this post)

5

Is there something I can check to compare on our 2010 server vs 2016 server?

The 2010 server doesn't do it.

by Jean 8 years ago
6

@Jean: I believe this has to do with your Exchange connector configuration, but I am only guessing here. Could you send us (to ) the ORF configuration file (orfent.ini) and your most recent ORF log files from the past 1-2 days (e.g. orfee-2016-10-03.log, orfee-2016-10-04.log) along with a short description of your system setup (e.g. front-end / back-end mail servers, smart-hosts etc.), please? We will look into this.

The requested ORF files can be found in the ORF program directory by default (\Program Files (x86)\ORF Fusion).

by Daniel Novak (Vamsoft) 8 years ago
(in reply to this post)

7

Email sent...

by Jean 8 years ago
8

I wanted to put the resolution here.

Version effected:
Exchange 2016 & probably Exchange 2013

What happens:
All incoming & outgoing email even internal gets logged/scanned in ORF

Why?:
Exchange 2016 and not Exchange 2010 when mail is going from someone to someone on the same server it will actually send SMTP to the hub/frontend transport and then SMTP back to the mailbox. Since ORF scans all SMTP traffic to the hub/frontend transport it gets scanned so all incoming and outgoing emails on Exchange 2016 get scanned on Exchange 2016. This is by MS design and from what I can see you can't get around this with a single server setup.

by jean.davis 7 years ago

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

It will not be published.
hnp1 | hnp2