Hi Eddie
but the vendor mis-identified our relay as an exit, hence blocking it
The vendor or a service provider for its inbound protection might think: Hey, this relay claims to be a non-exit but why do we receive a connection from a non-exit? Bottom line they don't distinguish between an IP and the relay service. If they put both together the clonclusion makes sense in their wrong (?) perspective. It's a little paranoid I would say.
After changing the IP, the new IP was also blocked in less than 24 hours. My feeling is that the vendor is now just using the full list of tor nodes and indiscriminately blocking everything
Yup, agree
Do you have IPv6 available for your office traffic? While you use IP4 for the relay. If you route email and browser along IPv6 you could resolve the issue.
All the best!