My exim.conf version is 4.5.12 from August 15, 2018. My exim.variables.conf.custom contains:
(domainlist relay_domains and log_selector are manually commented out in exim.conf .)
I have easy spam fighter in place but I don't think it matters.
Setup
My server #server# has a main shared IP address #A#.
Let's say I have a two users:
#john# who owns a domain example.com with a let's encrypt SSL certificate. This user is set up with a single, dedicated IP address, #B#.
#jane# who owns a domain example.net with a let's encrypt SSL certificate. This user is set up with a single, dedicated IP address, #C#.
The variables custom settings above are symbolic links that point towards the correct certificate for example.com and example.net. This is all working fine.
The following DNS records are in place - I believe these are the defaults and I didn't change anything in the past and then forgot about it (they are analogous for both users):
#john# has created a forwarder [email protected] which points at [email protected] .
#jane# has her own e-mail address, [email protected].
Problem
The owner of [email protected] wants to send an e-mail to [email protected] . Jane's e-mail client connects to smtp.example.net on IP address #C#, no problem so far. Here's a real log of one such interaction:
Exim is identifying itself to gmail as [email protected] . So what does gmail have to say about that?
Received-SPF: softfail (google.com: domain of transitioning [email protected] does not designate #C# as permitted sender) client-ip=#C#;
gmail is right - Only #B# and #A# can send on behalf of example.com, as seen above. Is there any way to fix this without extensive manual setup for every user? (I have several more with this setup.)
Code:
ignore_bounce_errors_after=1d
timeout_frozen_after=5d
hostlist relay_hosts=localhost
domainlist relay_domains=lsearch;/etc/virtual/domains : localhost
tls_verify_certificates = ${if exists {/etc/exim/$received_ip_address.cacert} {/etc/exim/$received_ip_address.cacert}}
tls_certificate = ${if exists {/etc/exim/$received_ip_address.cert} {/etc/exim/$received_ip_address.cert} {/etc/exim.cert}}
tls_privatekey = ${if exists {/etc/exim/$received_ip_address.key} {/etc/exim/$received_ip_address.key} {/etc/exim.key}}
log_selector = \
+incoming_interface \
+delivery_size \
+sender_on_delivery \
+received_recipients \
+received_sender \
+smtp_confirmation \
+subject \
+smtp_incomplete_transaction \
-dnslist_defer \
-host_lookup_failed \
-queue_run \
-rejected_header \
-retry_defer \
-skip_delivery \
+arguments(domainlist relay_domains and log_selector are manually commented out in exim.conf .)
I have easy spam fighter in place but I don't think it matters.
Setup
My server #server# has a main shared IP address #A#.
Let's say I have a two users:
#john# who owns a domain example.com with a let's encrypt SSL certificate. This user is set up with a single, dedicated IP address, #B#.
#jane# who owns a domain example.net with a let's encrypt SSL certificate. This user is set up with a single, dedicated IP address, #C#.
The variables custom settings above are symbolic links that point towards the correct certificate for example.com and example.net. This is all working fine.
The following DNS records are in place - I believe these are the defaults and I didn't change anything in the past and then forgot about it (they are analogous for both users):
Code:
example.com. TXT "v=spf1 a mx ip4:#A# ~all"
example.com. MX 10 mail
mail A #B#
smtp A #B##john# has created a forwarder [email protected] which points at [email protected] .
#jane# has her own e-mail address, [email protected].
Problem
The owner of [email protected] wants to send an e-mail to [email protected] . Jane's e-mail client connects to smtp.example.net on IP address #C#, no problem so far. Here's a real log of one such interaction:
Code:
2019-01-24 14:44:25 1gmgEz-0003DU-HZ <= [email][email protected][/email] H=([100.99.61.173]) [...] I=[#C#]:587 P=esmtpsa X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no A=plain:[email protected] S=10930 [email protected] T="Re: Test" from <[email protected]> for [email][email protected][/email] [email][email protected][/email]
2019-01-24 14:44:25 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1gmgEz-0003DU-HZ
2019-01-24 14:44:25 cwd=/tmp 4 args: /usr/sbin/exim -oMr spam-scanned -bS
2019-01-24 14:44:25 1gmgEz-0003Dc-Na <= [email][email protected][/email] U=mail P=spam-scanned S=11344 [email protected] T="Re: Test" from <[email protected]> for [email][email protected][/email] [email][email protected][/email]
2019-01-24 14:44:25 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1gmgEz-0003Dc-Na
2019-01-24 14:44:25 1gmgEz-0003Dc-Na => jane <[email protected]> F=<[email protected]> R=virtual_user T=dovecot_lmtp_udp S=11697 C="250 2.0.0 <[email protected]> hRSJOEnPSVyrIgAA7QZeHQ Saved"
2019-01-24 14:44:26 1gmgEz-0003Dc-Na => [email][email protected][/email] <[email protected]> F=<[email protected]> SRS=<[email protected]> R=lookuphost T=remote_smtp S=12411 H=gmail-smtp-in.l.google.com [173.194.76.26] I=[#C#] X=TLSv1.2:ECDHE-RSA-CHACHA20-POLY1305:256 CV=yes C="250 2.0.0 OK 1548341066 s13si70195169wrv.406 - gsmtp"
2019-01-24 14:44:26 1gmgEz-0003Dc-Na Completed
2019-01-24 14:44:26 1gmgEz-0003DU-HZ => jane <[email protected]> F=<[email protected]> R=spamcheck_director T=spamcheck S=11284
2019-01-24 14:44:26 1gmgEz-0003DU-HZ -> john <[email protected]> F=<[email protected]> R=spamcheck_director T=spamcheck S=11284
2019-01-24 14:44:26 1gmgEz-0003DU-HZ CompletedExim is identifying itself to gmail as [email protected] . So what does gmail have to say about that?
Received-SPF: softfail (google.com: domain of transitioning [email protected] does not designate #C# as permitted sender) client-ip=#C#;
gmail is right - Only #B# and #A# can send on behalf of example.com, as seen above. Is there any way to fix this without extensive manual setup for every user? (I have several more with this setup.)
