Hybrid Exchange + SMTP Proxy
I've followed the office 365 integration guide for hybrid exchange, and TLS appears to be working fine, and mail is flowing between the two sites, but it appears that the SMTP proxy causes mail routed from exchange online mailboxes to on-premises mailboxes to be marked as "outside the organization", and thus subject to anti-spoofing mail flow rules that I have configured on the internal exchange server.
Disabling the SMTP proxy and using a packet filter corrects this, and mail is correctly marked as internal, but of course it doesn't get inspected for GAV and spamblocker.
For now I've got 2 SMTP policies, one for office 365 as a packet filter with a FROM alias that includes all M365 IPs, and a proxy policy that accepts SMTP from all other external sources.
Just reaching out to see if anyone else is in the same situation and if you have done anything differently/better, where I can possibly run mail from exchange online through spamblocker/GAV/etc, whether it's internal mail or not.