Remote SPF validation issue: internal forward e-mail with SRS + dedicated domain IPs

Protected

Verified User
Joined
Oct 29, 2006
Messages
77
My exim.conf version is 4.5.12 from August 15, 2018. My exim.variables.conf.custom contains:

Code:
ignore_bounce_errors_after=1d
timeout_frozen_after=5d
hostlist relay_hosts=localhost
domainlist relay_domains=lsearch;/etc/virtual/domains : localhost
tls_verify_certificates = ${if exists {/etc/exim/$received_ip_address.cacert} {/etc/exim/$received_ip_address.cacert}}
tls_certificate = ${if exists {/etc/exim/$received_ip_address.cert} {/etc/exim/$received_ip_address.cert} {/etc/exim.cert}}
tls_privatekey = ${if exists {/etc/exim/$received_ip_address.key} {/etc/exim/$received_ip_address.key} {/etc/exim.key}}
log_selector = \
  +incoming_interface \
  +delivery_size \
  +sender_on_delivery \
  +received_recipients \
  +received_sender \
  +smtp_confirmation \
  +subject \
  +smtp_incomplete_transaction \
  -dnslist_defer \
  -host_lookup_failed \
  -queue_run \
  -rejected_header \
  -retry_defer \
  -skip_delivery \
  +arguments

(domainlist relay_domains and log_selector are manually commented out in exim.conf .)

I have easy spam fighter in place but I don't think it matters.

Setup

My server #server# has a main shared IP address #A#.

Let's say I have a two users:

#john# who owns a domain example.com with a let's encrypt SSL certificate. This user is set up with a single, dedicated IP address, #B#.
#jane# who owns a domain example.net with a let's encrypt SSL certificate. This user is set up with a single, dedicated IP address, #C#.

The variables custom settings above are symbolic links that point towards the correct certificate for example.com and example.net. This is all working fine.

The following DNS records are in place - I believe these are the defaults and I didn't change anything in the past and then forgot about it (they are analogous for both users):

Code:
example.com.	TXT	"v=spf1 a mx ip4:#A# ~all"
example.com.	MX	10 mail
mail	A	#B#
smtp	A	#B#

#john# has created a forwarder [email protected] which points at [email protected] .
#jane# has her own e-mail address, [email protected] .

Problem

The owner of [email protected] wants to send an e-mail to [email protected] . Jane's e-mail client connects to smtp.example.net on IP address #C#, no problem so far. Here's a real log of one such interaction:

Code:
2019-01-24 14:44:25 1gmgEz-0003DU-HZ <= [email protected] H=([100.99.61.173]) [...] I=[#C#]:587 P=esmtpsa X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no A=plain:[email protected] S=10930 [email protected] T="Re: Test" from <[email protected]> for [email protected] [email protected]
2019-01-24 14:44:25 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1gmgEz-0003DU-HZ
2019-01-24 14:44:25 cwd=/tmp 4 args: /usr/sbin/exim -oMr spam-scanned -bS
2019-01-24 14:44:25 1gmgEz-0003Dc-Na <= [email protected] U=mail P=spam-scanned S=11344 [email protected] T="Re: Test" from <[email protected]> for [email protected] [email protected]
2019-01-24 14:44:25 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1gmgEz-0003Dc-Na
2019-01-24 14:44:25 1gmgEz-0003Dc-Na => jane <[email protected]> F=<[email protected]> R=virtual_user T=dovecot_lmtp_udp S=11697 C="250 2.0.0 <[email protected]> hRSJOEnPSVyrIgAA7QZeHQ Saved"
2019-01-24 14:44:26 1gmgEz-0003Dc-Na => [email protected] <[email protected]> F=<[email protected]> SRS=<[email protected]> R=lookuphost T=remote_smtp S=12411 H=gmail-smtp-in.l.google.com [173.194.76.26] I=[#C#] X=TLSv1.2:ECDHE-RSA-CHACHA20-POLY1305:256 CV=yes C="250 2.0.0 OK 1548341066 s13si70195169wrv.406 - gsmtp"
2019-01-24 14:44:26 1gmgEz-0003Dc-Na Completed
2019-01-24 14:44:26 1gmgEz-0003DU-HZ => jane <[email protected]> F=<[email protected]> R=spamcheck_director T=spamcheck S=11284
2019-01-24 14:44:26 1gmgEz-0003DU-HZ -> john <[email protected]> F=<[email protected]> R=spamcheck_director T=spamcheck S=11284
2019-01-24 14:44:26 1gmgEz-0003DU-HZ Completed

Exim is identifying itself to gmail as [email protected] . So what does gmail have to say about that?

Received-SPF: softfail (google.com: domain of transitioning [email protected] does not designate #C# as permitted sender) client-ip=#C#;

gmail is right - Only #B# and #A# can send on behalf of example.com, as seen above. Is there any way to fix this without extensive manual setup for every user? (I have several more with this setup.)
 
Back
Top