1) You configure your MTA to allow authentication via SMTP (SMTP-Auth). Your users then have to change settings in their email clients (e.g. Outlook), i.e., they have to activate Server requires authentication.
2) You install “POP-before-SMTP” or poprelayd on your server. Your users then have to fetch emails first before they are allowed to send emails for a restricted period of time (mostly 30 min.).