Exchange transport rule block outside but allow exceptions

In short, I have a transport rule in Exchange 2007 to block a DDG from receiving email from the internet, only internal email allowed.  In transitioning mail server to 365, I'll be sending mail to these users via a local smtp server that connects to AWS SES that sends the mail back to exchange, however these are treated as "outside" obviously.  I could add an exception to the transport rule to allow email from an address or distribution group to come through, but then I worry about spoofed emails getting to users and them thinking it is from an internal user.  I'm also considering adding an exception for anything with "" text pattern in the header through so anything coming from AWS SES is allowed, but then that would allow any email from amazonses.  

Any other ideas or which would be best to limit this group during the transition?

Also, going forward with 365, I'll probably set up a relay in 365 and redirect this local SMTP server to authenticate and connect to it, but will I be in the same position with 365 that the emails coming from my local SMTP server will be considered "outside"?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

what is this AWS SES SMTP? it is acting as smart host...

when you setup hybrid environment, hybrid config will add connector at O365 which will accept emails from your onpremise exchange, at that place you need to add public Ip of your smart host and exchange servers to connector to allow inbound mails to O365, this mails are definitely considered as inside

as long as MX is pointing onpremise exchange, group expansion will happen onpremise and O365 users won't receive external emails if they are part of restricted DG
Brian_MBAuthor Commented:
Amazon's smtp server.  We'll be getting rid of on premise exchange once 365 in place.  So in the interim, for hardware and software that is local, i am directing them to send email to a local smtp server instead of exchange since that will be going away.  The local smtp server connects to amazon smtp server as the smart host.  So the hardware may send a message to from, but since it is now going through amazon and back to exchange, it is no longer internal allowed email.  So, again, I can add a transport rule to allow anything with amazon in the message header through temporarily, but this setup with local hardware/software will still exist when using 365.  My plan is to just change the smarthost on the local smtp server to point to a relay I set up in 365 instead of amazon, that's where I don't know if 365 will treat email coming from my local smtp as inside or outside.
Once you setup relay to O365, your SMTP server will send emails directly to O365 through O365 connector
O365 Connector will accept emails only from SMTP servers / other SMTP smart hosts you specified in connector, apart from that all external / other emails would have to hit O365 MX and need to pass all security checks and eventually obey external transport rule if any

No matter amazon is remain in between or not or even your SMTP server for that matter, as long as from address is (accepted domain) while receiving emails through O365 connector at o365 end, the mail will be considered as internal and again it is not spoofed because sender IP (onpremise SMTP or Amazon sever) is added in onpremise to O365 connector
Any mail for which from address is would be considered as outside. mail.
This is what definition of internal and external as far as I know

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Brian_MBAuthor Commented:
Thank you.  I did set up a connector in 365 and my smtp server to use it.  I did verify with rules set in 365 to block external email, that email coming from my smtp server is considered internal if from domain matches domain in 365.

as far as the blocking external email rule for current exchange server, I think I'll go with exception matching the header for to receive email routed through the local smtp server temporarily.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.