James,

This is an excellent question. Thank you for asking.

You are correct when you say Xeams acts as middleman when using the Proxy server. Since SSL does not allow a middleman, you MUST use a certificate on Xeams, not on Exchange. This way the communication between the sender's SMTP server and Xeams will be encrypted. See image below.

In-bound Messages

When using the Proxy server, the certificate present on your Exchange never comes in picture. 

When two SMTP servers communicate with each other, one acts as a client and the other as a server. A certificate is only required by the end that is acting as a server. Therefore, STARTTLS will ONLY be used by sender's email server IFF you have installed a valid certificate in Xeams. When STARTTLS is not enabled in Xeams, the sender will send the message in clear.

Out-bound Messages

When Xeams needs to send messages out to another SMTP server it acts as a client. Since a certificate is NOT needed when acting as client, Xeams will always use STARTTLS even if it is not enabled for incoming. In this case, the communication between Exchange and Xeams may or may not be enabled. Out-bound communication with, for example, gmail.com will always be enabled since Google supports STARTTLS

Let us know if you need further explanation.