Gitlab and Exim conflicting 'from' addresses when sending emails

Question

I have installed Gitlab 8.15 and Exim 4.84 on CentOS 7

Whenever Gitlab sends a message, it should come from '[email protected]' which is correctly set in config/gitlab.yml.

If I look in the log, I see the following:

2016-12-21 21:50:02 cwd=/ 6 args: /usr/sbin/sendmail -i -f [email protected] -- [email protected]
2016-12-21 21:50:02 1cJnpq-0001ZR-NG <= [email protected] U=git P=local S=3859 [email protected] T="Reset password instructions" from <[email protected]> for [email protected]

Note that between those 2 lines, the from address changed from [email protected] to [email protected] which is based on user@FQDN.

My external SMTP server then does a DKIM and SPF lookup on vps.mydomain.nl, instead of mydomain.nl, which fails and the mail is rejected.

I am not sure where this change happens and how I should fix this. Is this something on Gitlab side or something on Exim side?

The relevant parts from my exim configuration:

begin routers
mysmtphost_email:
  driver = manualroute
  domains = ! +local_domains
  ignore_target_hosts = 127.0.0.0/8
  transport = mysmtphost_relay
  route_list = * vps.mysmtphost.email::587
  no_more

(...)

begin transports
mysmtphost_relay:
  driver = smtp
  port = 587
  hosts_require_auth = <; $host_address
  hosts_require_tls = <; $host_address

Answer 1

Just found out the user git was not part of the trusted_users directive in the exim.conf file. I changed it to include the user as follows: trusted_users = mail:apache:passenger:git

I came to this conclusion since mails sent by other Rails applications running as user passenger were being sent correctly as specified by the from address. Then I noticed passenger being part of this directive and git not.

From the Exim documentation:

Trusted users are always permitted to use the -f option or a leading “From ” line to specify the envelope sender of a message that is passed to Exim through the local interface (see the -bm and -f options below). See the untrusted_set_sender option for a way of permitting non-trusted users to set envelope senders.

http://www.exim.org/exim-html-current/doc/html/spec_html/ch-the_exim_command_line.html#SECTtrustedadmin

Processes running as root or the Exim user are always trusted. Other trusted users are defined by the trusted_users or trusted_groups options. In the absence of -f, or if the caller is not trusted, the sender of a local message is set to the caller’s login name at the default qualify domain.