Forwarded mail from one Postfix server to another over a VPN is tagged as spam. Where do you flag that hop as OK?

[aleph de]

I'm receiving mail for a domain at a Postfix server on my VPS's static IP, then 
forwarding it to a Postfix server on my office lan.

I've switched to connecting to the office lan's server @ an internal IP address 
(192.168.2.13) over a VPN link that I've set up.  That address is NOT reachable 
directly from the 'net -- only over the VPN.

Mail sent through the VPS' IP is correctly forwarded and received at the 
server.  But once I stuck the VPN in the loop it's getting tagged as spam by 
Amavis/Spamasssassin running on the office server.

The received message's headers have 

        X-Spam-Flag: YES
        X-Spam-Score: 9.6
        X-Spam-Level: *********
        X-Spam-Status: Yes, score=9.6 tagged_above=-10 required=5
                tests=[BAYES_00=-1.9, RDNS_NONE=1.5, SPF_HELO_FAIL=10]
                autolearn=no autolearn_force=no
        Received: from mx1-internal.MYDOMAIN.com ([127.0.0.1])
                by localhost (mx1-internal.MYDOMAIN.com [127.0.0.1]) 
(amavisd-new, port 10024)
                with ESMTP id CoqYh_JBKbcT for <postmas...@domain2.com>;
                Sat, 16 May 2015 18:13:17 -0700 (PDT)
        Received: from mx1.MYDOMAIN.com (unknown [10.0.0.1])
                (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
                (No client certificate requested)
                by mx1-internal.MYDOMAIN.com (Postfix) with ESMTPS id 
BABB5101D7B
                for <postmas...@domain2.com>; Sat, 16 May 2015 18:13:16 -0700 
(PDT)
        Received: from c.mail.sonic.net (c.mail.sonic.net [64.142.111.80])
                by mx1.MYDOMAIN.com (Postfix) with ESMTP id D195061EC3
                for <postmas...@domain2.com>; Sat, 16 May 2015 18:13:15 -0700 
(PDT)

The main culprit looks like it's the

        SPF_HELO_FAIL=10

Probably because the receiving Postfix server checks the HELO @ IP = 10.0.0.1, 
if I understand how the HELO checks work

        Received: from mx1.MYDOMAIN.com (unknown [10.0.0.1])

Where 10.0.0.1 is the VPN endpoint on the VPS side.

The mail logs on the Office side show

        May 16 18:42:55 mx1-internal amavis[6073]: (06073-02) Passed SPAMMY 
{RelayedTaggedInbound}, [10.0.0.1]:53597 [208.201.242.19] <myn...@sonic.net> -> 
<postmas...@domain2.com>, Queue-ID: BABB5101D7B, Message-ID: 
<201505170142.d4e7gach945...@bolt.sonic.net>, mail_id: CoqYh_JBKbcT, Hits: 9.6, 
size: 1536, queued_as: 0E73B101D89, 7202 ms

I think I need to fix or ignore that check - since the relay step from my VPS 
to my Office server isn't relevant to checking.

What I DON'T KNOW, though, is where I fix this.  In Postfix config, either on 
the VPS or Office side, or in Amavis/Spamassassin.  I'm not convinced that 
because amavis is reporting on it that it's an amavis issue.  Might be ...

Where do I "ok" this hop so that it's not scored, or even considered in the 
scoring?