We are in hybrid configuration with Exchange online. All mailboxes have been migrated to exchange online, however we still create mailboxes onprem and migrate them to the cloud. We currently use ironports for all mail hygiene. Our security team will not allow direct internet connection to any internal server, and this is why we have an EDGE server. I dont really agree with this thought process. I am trying to understand what the security concerns\issues with allowing smtp port 25 access only from the exchange online servers to the back end exchange servers ? Is it best practice to also deploy an EDGE server in the dmz? if so why?