This would probably be more easily implemented with separate servers, a simple mail gateway which accepts mail for mail@example.com and is listed as the public MX server. It would then forward all messages into your intranet mail server, where all the employee mail is hosted. The internal server would implement the internal forwarding, and allow mail from employee A and B to be forwarded by the public mail gateway.
To block/allow mail to external domains, it really depends what software you're using to implement it. In postfix it's quite straightforward.