My exim.conf version is 4.5.12 from August 15, 2018. My exim.variables.conf.custom contains:

Code:
ignore_bounce_errors_after=1d
timeout_frozen_after=5d
hostlist relay_hosts=localhost
domainlist relay_domains=lsearch;/etc/virtual/domains : localhost
tls_verify_certificates = ${if exists {/etc/exim/$received_ip_address.cacert} {/etc/exim/$received_ip_address.cacert}}
tls_certificate = ${if exists {/etc/exim/$received_ip_address.cert} {/etc/exim/$received_ip_address.cert} {/etc/exim.cert}}
tls_privatekey = ${if exists {/etc/exim/$received_ip_address.key} {/etc/exim/$received_ip_address.key} {/etc/exim.key}}
log_selector = \
  +incoming_interface \
  +delivery_size \
  +sender_on_delivery \
  +received_recipients \
  +received_sender \
  +smtp_confirmation \
  +subject \
  +smtp_incomplete_transaction \
  -dnslist_defer \
  -host_lookup_failed \
  -queue_run \
  -rejected_header \
  -retry_defer \
  -skip_delivery \
  +arguments
(domainlist relay_domains and log_selector are manually commented out in exim.conf .)

I have easy spam fighter in place but I don't think it matters.

Setup

My server #server# has a main shared IP address #A#.

Let's say I have a two users:

#john# who owns a domain example.com with a let's encrypt SSL certificate. This user is set up with a single, dedicated IP address, #B#.
#jane# who owns a domain example.net with a let's encrypt SSL certificate. This user is set up with a single, dedicated IP address, #C#.

The variables custom settings above are symbolic links that point towards the correct certificate for example.com and example.net. This is all working fine.

The following DNS records are in place - I believe these are the defaults and I didn't change anything in the past and then forgot about it (they are analogous for both users):

Code:
example.com.	TXT	"v=spf1 a mx ip4:#A# ~all"
example.com.	MX	10 mail
mail	A	#B#
smtp	A	#B#
#john# has created a forwarder john@example.com which points at example@gmail.com .
#jane# has her own e-mail address, jane@example.net .

Problem

The owner of jane@example.net wants to send an e-mail to john@example.com . Jane's e-mail client connects to smtp.example.net on IP address #C#, no problem so far. Here's a real log of one such interaction:

Code:
2019-01-24 14:44:25 1gmgEz-0003DU-HZ <= jane@example.net H=([100.99.61.173]) [...] I=[#C#]:587 P=esmtpsa X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no A=plain:jane@example.net S=10930 id=31F97EF0-B5C7-4A0E-AA6C-E4CF9FDE2A9E@example.net T="Re: Test" from <jane@example.net> for jane@example.net john@example.com
2019-01-24 14:44:25 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1gmgEz-0003DU-HZ
2019-01-24 14:44:25 cwd=/tmp 4 args: /usr/sbin/exim -oMr spam-scanned -bS
2019-01-24 14:44:25 1gmgEz-0003Dc-Na <= jane@example.net U=mail P=spam-scanned S=11344 id=31F97EF0-B5C7-4A0E-AA6C-E4CF9FDE2A9E@example.net T="Re: Test" from <jane@example.net> for jane@example.net john@example.com
2019-01-24 14:44:25 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1gmgEz-0003Dc-Na
2019-01-24 14:44:25 1gmgEz-0003Dc-Na => jane <jane@example.net> F=<jane@example.net> R=virtual_user T=dovecot_lmtp_udp S=11697 C="250 2.0.0 <jane@example.net> hRSJOEnPSVyrIgAA7QZeHQ Saved"
2019-01-24 14:44:26 1gmgEz-0003Dc-Na => example@gmail.com <john@example.com> F=<jane@example.net> SRS=<SRS0=gCk9iK=QA=example.net=jane@example.com> R=lookuphost T=remote_smtp S=12411 H=gmail-smtp-in.l.google.com [173.194.76.26] I=[#C#] X=TLSv1.2:ECDHE-RSA-CHACHA20-POLY1305:256 CV=yes C="250 2.0.0 OK 1548341066 s13si70195169wrv.406 - gsmtp"
2019-01-24 14:44:26 1gmgEz-0003Dc-Na Completed
2019-01-24 14:44:26 1gmgEz-0003DU-HZ => jane <jane@example.net> F=<jane@example.net> R=spamcheck_director T=spamcheck S=11284
2019-01-24 14:44:26 1gmgEz-0003DU-HZ -> john <john@example.com> F=<jane@example.net> R=spamcheck_director T=spamcheck S=11284
2019-01-24 14:44:26 1gmgEz-0003DU-HZ Completed
Exim is identifying itself to gmail as SRS0=gCk9iK=QA=example.net=jane@example.com . So what does gmail have to say about that?

Received-SPF: softfail (google.com: domain of transitioning srs0=gck9ik=qa=example.net=jane@example.com does not designate #C# as permitted sender) client-ip=#C#;

gmail is right - Only #B# and #A# can send on behalf of example.com, as seen above. Is there any way to fix this without extensive manual setup for every user? (I have several more with this setup.)