Hello Shane,
To get the IP Address you will need to review the SMTP Log, below is an explanation of how to track a message back and forth through the logs.
We start with the SMTP log when the message hits the server. The Session ID will let you see the full session. If you have the MessageID of the email from the junk email folder, spool, or anywhere you can search for that with "Display Related Traffic" enabled. to get the full session. And if you have the EML/HDR number from the spool or another log.
[2025.03.13] 09:25:22.663 [10.1.1.80][44848045] rsp: 220 sup-ascholzl.st.local
[2025.03.13] 09:25:22.695 [10.1.1.80][44848045] connected at 3/13/2025 9:25:22 AM
[2025.03.13] 09:25:22.780 [10.1.1.80][44848045] Country code: Unknown
[2025.03.13] 09:25:22.780 [10.1.1.80][44848045] IP in whitelist
[2025.03.13] 09:25:22.798 [10.1.1.80][44848045] cmd: ehlo Tony-MBP.local
[2025.03.13] 09:25:22.807 [10.1.1.80][44848045] rsp: 250-sup-ascholzl.st.local Hello [10.1.1.80]250-SIZE 699050666250-AUTH LOGIN CRAM-MD5250-8BITMIME250-SMTPUTF8250-DSN250 OK
[2025.03.13] 09:25:22.980 [10.1.1.80][44848045] Sender accepted. Weight: 0.
[2025.03.13] 09:25:23.308 [10.1.1.80][44848045] cmd: data
[2025.03.13] 09:25:23.324 [10.1.1.80][44848045] Performing PTR host name lookup for 10.1.1.80
[2025.03.13] 09:25:23.382 [10.1.1.80][44848045] PTR host name for 10.1.1.80 resolved as UnknownHost
[2025.03.13] 09:25:23.577 [10.1.1.80][44848045] rsp: 354 Start mail input; end with <CRLF>.<CRLF>
[2025.03.13] 09:25:24.274 [10.1.1.80][44848045] DMARC Results: None (Domain: , Reason: No DMARC record found), Reason: No DMARC record found, Reject? False
[2025.03.13] 09:25:24.274 [10.1.1.80][44848045] rsp: 250 OK
[2025.03.13] 09:25:24.296 [10.1.1.80][44848045] Received message size: 984 bytes
[2025.03.13] 09:25:25.161 [10.1.1.80][44848045] Successfully wrote to the HDR file. (/var/lib/smartermail/Spool/SubSpool3/25720549555.hdr)
[2025.03.13] 09:25:25.189 [10.1.1.80][44848045] cmd: QUIT
[2025.03.13] 09:25:25.189 [10.1.1.80][44848045] rsp: 221 Service closing transmission channel
[2025.03.13] 09:25:25.189 [10.1.1.80][44848045] disconnected at 3/13/2025 9:25:25 AM
Next, we look at the Delivery Logs, I am going to use the Eml/Hdr number (25720549555) to do my search with "Display Related Traffic" enabled. In the logs below you will notice that the Delivery Session ID is a portion of this number [25720549555 -> 20549555]
[2025.03.13] 09:25:28.342 [20549555] Added to SpamCheckQueue (1 queued; 0/30 processing)
[2025.03.13] 09:25:28.361 [20549555] [SpamCheckQueue] Begin Processing.
[2025.03.13] 09:25:28.539 [20549555] Blocked Sender Checks started.
[2025.03.13] 09:25:28.539 [20549555] Blocked Sender Checks completed.
[2025.03.13] 09:25:41.841 [20549555] Spam Checks started.
[2025.03.13] 09:25:47.719 [20549555] Finished running spam checks. Time (non-rbls): 4438ms, Time (URIBL/RBLS): 1336ms
[2025.03.13] 09:25:47.756 [20549555] Spam Check results: [_DMARC: 0,none], [REVERSE DNS LOOKUP: 15,ReverseFailed], [NULL SENDER: 0,passed], [_INTERNALSPAMASSASSIN: 0:0], [_SPF: 10,SoftFail], [_DKIM: 10,None], [_ARC: none], [HOSTKARMA: 0], [SPAMCOP: 0], [UCEPROTECT LEVEL 1: 0], [BACKSCATTER: 0], [SEM - BLACK: 0], [BARRACUDA: 0], [UCEPROTECT LEVEL 2: 0], [SURRIEL: 0], [TRUNCATE: 0], [SPAMHAUS: 0], [URIBL BLACK: 0], [SEM-URI: 0]
[2025.03.13] 09:25:47.756 [20549555] Spam Checks completed.
[2025.03.13] 09:25:47.759 [20549555] Removed from SpamCheckQueue (0 queued or processing)
[2025.03.13] 09:25:49.554 [20549555] Added to LocalDeliveryQueue (1 queued; 0/50 processing)
[2025.03.13] 09:25:49.554 [20549555] [LocalDeliveryQueue] Begin Processing.
[2025.03.13] 09:25:49.999 [20549555] Message saved to MailProcessing directory for
admin@ascholz.linux. File name: 20549555-30011-NOID.tmpmsg
[2025.03.13] 09:25:50.022 [20549555] Process delivery status notification step from local recipient success. Recipient: [
admin@ascholz.linux], Notify: [], Delivered: [True], Forwarded: [False], Deleted: False
[2025.03.13] 09:25:50.170 [20549555] Removed from LocalDeliveryQueue (0 queued or processing)
[2025.03.13] 09:25:52.563 [20549555] Removing Spool message: Killed: False, Failed: False, Finished: True
Using the same Eml/Hdr number (25720549555) I will also search the Spam Check Logs to get any details needed as well. This will show any Spam Checks that were run during the Delivery Thread.
[2025.03.13] 09:25:28.361 [20549555] SpamCheck Processing Thread Started
[2025.03.13] 09:25:28.540 [20549555] Filetype Checks started.
[2025.03.13] 09:25:28.547 [20549555] Filetype Checks completed.
[2025.03.13] 09:25:28.547 [20549555] ClamD Checks started.
[2025.03.13] 09:25:41.840 [20549555] ClamD Checks completed.
[2025.03.13] 09:25:41.943 [20549555] Spam checks to run: Reverse Dns Lookup, Null Sender, Internal SpamAssassin, _SPF, _DKIM, _ARC, Backscatter, Barracuda, HostKarma, SEM - Black, SpamCop, Spamhaus, Truncate, UCEProtect Level 1, UCEProtect Level 2, SEM-URI, URIBL Black, Surriel
[2025.03.13] 09:25:41.944 [20549555] Found 18 spam checks to run: Reverse Dns Lookup, Null Sender, Internal SpamAssassin, _SPF, _DKIM, _ARC, Backscatter, Barracuda, HostKarma, SEM - Black, SpamCop, Spamhaus, Truncate, UCEProtect Level 1, UCEProtect Level 2, SEM-URI, URIBL Black, Surriel
[2025.03.13] 09:25:42.014 [20549555] [10.1.1.80] No valid reverse DNS entry found.
[2025.03.13] 09:25:45.793 [20549555] Running SPF check
[2025.03.13] SPF Record: v=spf1 include:spf.efwd.registrar-servers.com ~all
[2025.03.13] 09:25:46.348 [20549555] Finished SPF check; result = SoftFail
[2025.03.13] 09:25:46.348 [20549555] [DKIM] Performing DKIM check...
[2025.03.13] 09:25:46.382 [20549555] [DKIM] Result: NoSignature.
[2025.03.13] 09:25:46.382 [20549555] [ARC] Performing ARC verification...
[2025.03.13] 09:25:47.719 [20549555] Spam Checks took 5822 ms
[2025.03.13] 09:25:47.756 [20549555] Spam Checks completed.
[2025.03.13] 09:25:47.758 [20549555] SpamCheck Processing Thread Completed
Hope this helps