Related ip in log viewer - ORF Forums

Hello John,

The IP address recorded in the “Related IP” field of the ORF log should be interpreted as the IP address related to the logged *event*, which is not necessarily the source IP of the incoming email. Unless the event is directly related to an IP-based test, such as the IP blacklist, IP Whitelist or the SPF Test (etc.), the Related IP field will show the IP address of the last delivery hop - in your case, the IP of your router.

That being said, if any of the relaying intranet hosts (e.g. a firewall) strips the "Received:" header fields (i.e. the delivery history) of the incoming emails, then ORF will not be able to determine the actual source IP of the email and it will use - and log - the wrong IP for its tests. In such a case, you have to review the configuration of the problematic filtering agent or relay host and disable any feature that removes this critical information from the message headers.

If you have any additional questions or require further clarification, just let me know.

You would certainly notice it. When an email is sent over the internet (or any network), each relay host adds its own information -- including its IP address -- and a time-stamp to the email's message header as a "Received:" from line, so the email can be traced back to the original sender by analyzing these header lines. ORF automatically whitelists emails that originate from Class A (10.0.0.0 - 10.255.255.255), Class B (172.16.0.0 - 172.31.255.255) and C (192.168.0.0 - 192.168.255.255) private intranet address ranges - and the local host address (127.0.0.1) - thus, if a relay host between your network perimeter and the ORF server were to wipe out the "Received:"header lines (i.e. the list of previous delivery hops), ORF would whitelist every single incoming email, because it would "think" that they were sent from an internal host. If you want to learn how ORF determines the source IP address exactly, please consult the following article: http://vamsoft.com/support/docs/orf-help/5.4/headeranalysis

In Outlook 2016, 2013 and 2010 the message header can be viewed in the email "Properties" dialog, in the "Internet headers" box: https://support.office.com/en-us/article/View-e-mail-message-headers-cd039382-dc6e-4264-ac74-c048563d212c

I am afraid you cannot force ORF to log the source IP of the email for all of the recorded events. As I mentioned previously, unless the event is directly related to an IP-based test, ORF logs the IP address of the the last delivery hop (i.e. the IP address of the last connecting host) in all cases, except if the IP is strictly related to the event, such as an IP Whitelist, IP Blacklist, DNS Blacklist or Greylisting (etc.) hit. In other words, you are not guaranteed to see the source IP address, except if the email was blacklisted or whitelisted due to the IP address that ORF checked.

@john.kesoglou: No, there has been no change in ORF in this regard. If you want to see the source IP address of the emails, I suggest that you re-deploy ORF on the network perimeter behind a transparent firewall or assign all tests - where applicable - to the On Arrival filtering point only (on the Filtering > Tests page in the ORF Administration Tool). The email header that contains the delivery history (i.e. the Received header lines) - and is used by ORF to determine the source IP address - is available/transmitted at the On Arrival filtering point only. At Before Arrival, ORF will simply use and log(!) the IP address of the connecting host for the IP-based tests, or if the connecting IP is on the Intermediate Host List, it will wait for the header to arrive and test the email at On Arrival.

As for your second question, hard-coded items and features cannot be modified in ORF. Even if you could remove the hard-coded IP ranges from the Intermediate Host List (IHL), it would not change the fact that ORF does not log the IP address of the actual sender for every event - and you would still need to add the IP address of every single relay host that belongs to your organization (private intranet or external) and that relays emails to the ORF server, otherwise ORF would not be able to determine the correct source IP address of the incoming emails. In any case, if ORF is set to filter the incoming emails first (see: http://vamsoft.com/support/docs/knowledge-base/filtering-order-exch2k13), then you should be able to see *all* the incoming mail traffic.

However, if you do not want to see the IP address of any of your hosts that relay emails to ORF, reconfigure them to work in transparent relay mode or as I mentioned before, move ORF to the network perimeter (see: https://vamsoft.com/support/docs/how-tos/deployment-5.4).