If you want to allow internal users send on behalf of external addresses, add the following line between lines (7) and (8) in the previous code example:
BASE|*|*|* $Y$2
Adding this line makes the MTA accept any email sent by an internal user, in which header From: address is not from a locally hosted domain. At the same time, adding this line still allows for checking permission to send on behalf of other local users. No check is made on whether a local user can send using a particular external address in the header From: field.