You can just check the envelope sender address in the user's .qmail file, if you don't care about spoofed sender addresses or the user's ability to edit their .qmail file. Use bouncesaying to bounce all non-locally-originated mail.
Use a badrcptto patch that doesn't do the check on internal relay clients.
You could use a whole host of qmail patches to do this....but this is a bit drastic.
