I forgot to answer a couple of questions: why is the connection NOT encrypted from the start?

There is a historic reason for this. When email first started, SMTP servers used to communicate on port 25 and there were no SSL certificates. Later on port 465 was introduced for SSL. However, many servers kept communicating on port 25 without encryption. There was a need to use SSL on port 25 without breaking the existing communications. That is when STARTTLS was introduced, which has the ability to start with non-encrypted communication and later upgrade the same socket to encrypt.

You said: A simple sniffing tool sitting between Xeams and Exchange will be able to watch the communication. This is correct but there is more to it:

• This tool will only be able to see the HELO/EHLO, MAIL FROM and RCPT TO command. Not the DATA command, which will hold the actual email. By default, the SMTP Proxy server runs in Async Mode. This means that it will only proxy the HELO/EHLO, MAIL FROM and RCPT TO. The original connection will be disconnected from Exchange before DATA is sent.
• If a message is considered good, Xeams will create a brand new connection to Exchange. This new connection will be visible through SMTPOutboundConversation.log and will use STARTTLS if supported by Exchange.
• If you think sending MAIL FROM and RCPT TO is a security risk, (which I don't think since everything is within your LAN), you can use the regular SMTP Server instead of the Proxy server.