IIRC this isn't at all simple with that software. For mostly poor reasons
that may have changed since last time I looked.

You could approximate it with a bit of hacking, though: Use exim to force a
bcc to something like policyviolation@asdf, and use a generated sieve file
for that address to check whether anyone's done anything forbidden. The
generated sieve script needs a long list of clauses like this one, which
permits aaa@asdf to use sales@asdf and blah@asdf in the From field:

if allof(envelope "from" :is "aaa@asdf".
         anyof(address "from" :is "sales@asdf",
               address "from" :is "blah@asdf")) {
    drop;
}

The default action at the end of a sieve script is to file into the inbox,
so the end effect is that your policyviolation@asdf account receives only
rule violations. Read that mail whenever you feel BOFHy and have a great
day — one way or the other.

Arnt