Exchange 2010 and all emails go in and out through Barracuda cloud spam filter.
Started using a cloud accounting package that sends emails with the user's Exchange domain email address and those go through the cloud service's mail servers. Those emails were originally bouncing for SPF, so added the cloud services hostnames to the SPF and they now get past Barracuda, but Exchange is stopping them near as I can tell.
So Bob logs into the cloud accounting service, creates a PO, needs that PO approved. The approval is emailed to Bob's manager through the accounting system. The email goes to firstname.lastname@example.org and the from is email@example.com. The email servers at the service show the from a firstname.lastname@example.org and to email@example.com. Exchange doesn't appear to like that.
Rejected (mail.domain.com:25:550 5.7.1 Client does not have permissions to send as this sender)
Exchange is only allowed to talk to Barracuda in and out via ACLs on the firewall....could I change something in Exchange to allow emails from domain.com that come in on the default receive connector? It seems like a bad idea to me though.