We often receive emails with questions like “Why ORF blocked this email?” and “Why this was allowed through?” and “Did ORF blocked this one or something else?”. Of course, it is easy to check using the Log Viewer tool shipped with ORF, but it often turns out ORF users are not aware of the existence of this tool. So I decided to show them what they miss :)

What is it good for?
ORF logs everything (what it does to emails, errors, warnings, etc.) to its text log files. These files are stored in the ORF directory by default (Program Files \ ORF Enterprise Edition) with .log extension. The Log Viewer can be used to review these text logs, so you can find out what it did to incoming emails and why. Let’s start the Log Viewer and see what information can be retrieved from these logs and how:

Loading the log files
You can load the log files from their default location from the last 24 hours by pressing F5. The time period and the directory from which the log files are loaded can be changed anytime by selecting File | Settings… in the main menu. You can also configure the Log Viewer to load the specified log entries on startup immediately, or drag and drop any .log file to the Log Viewer window to load it.

Once the logs are loaded, the data is represented in a table view: each row represents an event or action (not an email!), and by clicking the columns you can re-order the log records by date, source IP, sender and recipient addresses and so on.

Interpreting the log records
There could be several entries for a single email. For example if you have both Before and On Arrival tests enabled, ORF will log what happened to each recipient at Before Arrival, what happened at On Arrival, and if there were any errors or problems during the testing of the email, etc. These are all logged in separate records. The message column indicates detailed information about each record, it is pretty straightforward.

Searching and filtering the log records
Any entries can be quickly located by using the Search option (Ctrl+F). If want to review multiple entries based on certain criterias, there is an excellent Filter builder in the Log Viewer (Shift + Ctrl + F). Just like the manual lists of the Administration Tool, it supports wildcards and regular expressions. For example you can setup a filter to list all blacklisted emails sent from sender@senderdomain.com to any recipient in mydomain.com where the subject does not contain the word “meeting”:

You can also filter for log record types like warnings and errors. Moreover, you can save your filters for future usage.

Next time, we will check out the ORF Reporting Tool, so stay tuned.

We received sporadic reports of ORF blacklisting emails from the users’ own domain, because it does not find any MX or A/CNAME record for it. Of course, these records clearly exists when checked from the outside using nslookup, which makes the customer believe it is something wrong with ORF.

Actually, the problem is DNS-related and typically occurs when somebody uses a local DNS server in ORF for DNS resolution (which is recommended), but the very same local DNS acts as the authoritative DNS for his own domain. A common factor leading to this if the internal AD domain is the same as the public domain (e.g. domain.com, instead of domain.local or domain.internal or something like that).

To solve this, you should either switch to external DNS servers in ORF, or consider setting up another DNS server (e.g. on the local host) that forwards to the root DNS servers. The latter is the recommended method.