Exim

How to overwrite from for authorized users only?

The essence of the problem: an authorized user can specify any FROM.
The mail server is used as smarthost. The cluster.xx server sends an email via mail.xx, authenticating as [email protected] - this works correctly. Next, I delete all Received, so that it would not be visible that the letter was formed by cluster.xx , but the sender address is [email protected] and this is how it goes to external servers, respectively, spf, dkim are not used and a very ugly [email protected] is visible. xx. Where should the headers be rewritten and how should it look so that Exim sends MAIL FROM [email protected] (I will only check this with tcpdump) and the headers contain From: [email protected]
As a side note, if the mail.xx server is doing mail forwarding (already arbitrary senders), then, logically, it should store from and to in the headers. Those. if a letter arrives from [email protected] to [email protected] , forwarding to @google, it must save from [email protected] (Checked, forwarding letters from @yandex to @mail.xx preserves the headers From: original sender and To: [email protected]; there is no mention of @mail.xx to which Yandex sends)
Exim4, Ubuntu 18 LTS.