I would drive all the mail into an imap account and teach "this uncle with big ears" to shift letters in the client into two different folders
. The simplest program periodically pumps letters out of the folder and forwards them to send. Of course, it cleans the folder after itself, and just cleans the rejected folder.
Slightly strange Received headers will turn out, but it can be worse. They can be cleaned in the same program.

always_bcc_to in case of postfix.

The task is very difficult, given that part of the mail is sent through the gmail web interface and others.
I would recommend that you intercept all connections on port 25 using a firewall, and wrap them in your MTA (for example, Exim), which will allow you to do almost anything you want with mail. However, keep in mind that the client can say STARTTLS and the certificate will not match the one he wants to receive, and the headers of the sent letters will show that they went through your server.
A method that is transparent to the user includes analyzing intercepted traffic, or man-in-the-middle: something similar is done by antiviruses that check mail. Here is an example of a similar software for Unix systems: software.klolik.org/smtp-gated/
Perhaps you will find something else, and at the same time more appropriate for your goals
. I also do not exclude that there is already ready-made commercial software just for such cases, and it does its job quietly, and perhaps even under Windows - such crap for domestic security guards often comes to mind

It's easier to put the clave. spy and send data to the server, which is then read.

I will clarify the TK: the solution is necessary for accounts on our domain_name.com soapbox.
Those. there is a domain and hosting and MX at the hoster, you want users to set up accounts, for example, in The Bat or Thunderbird like [email protected]_name.com. web is closed.

Further, the problem is reduced by several lines of the MTA config (the one-line version is proposed first).
Thanks for your attention, but could you be more specific about what options you mean.
the one-line variant does not correspond to the TOR, because the mail accumulating in some box will have to be forwarded manually, which changes the type of the letter.