I see entries in the log that mention two different IP addresses for the same connection. Why is this? For example:

H=tip-mp8-ncs-13.stanford.edu ([36.173.0.189]) [36.173.0.156]

The actual IP address from which the call came is the final one. Whenever there's something in parentheses in a host name, it is what the host quoted as the domain part of an SMTP HELO or EHLO command. So in this case, the client, despite being 36.173.0.156, issued the command

EHLO [36.173.0.189]

when it sent your server the message. This is, of course, very misleading.