==== Required information ====
- iRedMail version: 0.8.5
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Linux/BSD distribution name and version: Debian Wheezy
====

I'm seeing weird entries in my mail.log(sensitive data replaced):

Nov 24 08:36:53 hostname amavis[5816]: (05816-03) Passed CLEAN {RelayedInternal}, LOCAL [209.85.212.179]:45856 [X.X.X.5] <someuser@gmail.com> -> <user@mydomain.com>, Queue-ID: 6C1F920B820E, Message-ID: <5476E008.006.00206B842947.user@mydomain.com>, mail_id: mTRb0SP_6Ik2, Hits: -102.673, size: 355606, queued_as: A22059F6026, dkim_sd=20120113:gmail.com, 3954 ms

My server has multiple ip addresses on one interface. On X.X.X.4 is my mail server and on X.X.X.5 is my DNS server.
The weird part from the above part of the log that I'm starting to notice is this: LOCAL [209.85.212.179]:45856 [X.X.X.5] - the first ip address is the one that sends HELO(I would say gmail smtp) but the second ip adress X.X.X.5 is ip of my DNS server. Shouldn't that be the client ip that is sending the mail? Why is my DNS ip insted there?

This is not a common issue, I see it only occasionally but want to know why is happening because I got an abuse reported of a bad sasl originating from X.X.X.5 ip to blocklist.de postfix server but my mail server is on X.X.X.4.