> Jim, > > > Running 2.6.4 with Zimbra. > > I've noticed sometimes there are two sets of IP addresses logged: > > > > Mar 10 17:22:55 mymail amavis[25723]: (25723-14) Passed SPAMMY, > > [98.139.44.147] [41.138.89.39] ... > > > > Can someone tell me where these are pulled from? > > (Which part of the message header.) > > This is coming from a default log template, it inserts macros %a and %e, > if nonempty. According to README.customize: > > a original SMTP session client IP address (info from XFORWARD) > e best guess of the originator IP address collected from the Received > trace
In other words, the first address is the immediate SMTP client's address from which it connected to your MX, and is passed from Postfix to amavisd through its XFORWARD extension smtp command. So this is the last hop, the information is guaranteed to be correct. The second address is obtained by parsing trace fields in a mail header section, bottom-up, skipping private IP addresses. So this is possibly the end-user's IP address from which he connected to *his* MSA. There is no guarantee that this information is correct, header could be faked or trimmmed/obfuscated. Mark
