I could not find any way to (easily) use badmailfromto to block email going to outside users. With the plugin enabled and configured to block unwanted mail, the "relay" plugin still allows the email to go through. I worry that reconfiguring the "relay" client would be somewhat painful...
I did think of a semi-voluntary way of doing what you want (semi-voluntary because employees who want to get around it can figure out how, and you're depending on outside servers having reliable spam filters in place...)
1) create a non-routeable secondary domain on your SME - eg "mydomain.local"
2) set the local-only users to be invisible to the outside world using db accounts setprop username Visible internal
3) configure the email clients for the local-only users to use "username@mydomain.local"
4) monitor email from internal-only users and re-educate as necessary
Email between internal users will continue to work since there is only one mailbox per "username", and email to outside destinations will be declined by the spam filters of the outside mail servers since "mydomain.local" does not exist.
You can monitor email from the "localonly" users to remote destinations (for user re-education) using:
export localonly='billing@mydomain.*remote|mmccarn@mydomain.*remote'
cat /var/log/qmail/current |/usr/local/qmailanalog/bin/matchup |egrep "$localonly" |awk '{print $7 "\t" $8}'
Output looks like this (I'm sure we could figure out how to suppress the error on line one if that is important...):
matchup: fatal: unable to write fd 5: file descriptor not open
<billing@mydomain.us> remote.m.mccarn@remotedomain.tld
<billing@mydomain.us> remote.m.mccarn@remotedomain.tld
<billing@mydomain.us> remote.m.mccarn@remotedomain.tld
<mmccarn@mydomain.local> remote.m.mccarn@remotedomain.tld
<billing@mydomain.us> remote.m.mccarn@remotedomain.tld
<billing@mydomain.us> remote.m.mccarn@remotedomain.tld
<billing@mydomain.us> remote.m.mccarn@remotedomain.tld
<billing@mydomain.us> remote.m.mccarn@remotedomain.tld
<billing@mydomain.us> remote.m.mccarn@remotedomain.tld
<billing@mydomain.us> remote.m.mccarn@remotedomain.tld
You can review more qmail logs than just "current" using:
cat /var/log/qmail/current /var/log/qmail/@*|/usr/local/qmailanalog/bin/matchup |egrep "$localonly" |awk '{print $7 "\t" $8}'
[edit]
Here is a code snippet that will set "localonly" to all of the users who are configured with 'Visible=internal':
export localonly=$(db accounts print |grep 'Visible|internal' |sed 's/=.*//' |while read u; do printf "$u@$(config get DomainName |sed 's/\..*//').*remote|"; done |sed 's/|$//')