Is a very complex task, considering that a piece of mail sent through the web interface of Gmail and other.
Would recommend you to intercept means the firewall all connections on port 25, and turn them into your MTA (e.g. Exim), which will allow you to do with the post almost everything you want. Note, however, the client can say STARTTLS and the certificate will not agree with that which he wishes to obtain, and in the headers of sent emails, you will see that they have passed through your server.
Transparent to the user method includes the analysis of intercepted traffic, or man-in-the-middle: doing anything like antivirus software that checks email. Here is an example similar softiny for UNIX-systems: software.klolik.org/smtp-gated/
Maybe you'll find something else, and thus more appropriate for your purposes
Do not exclude also that there is a ready commercial software for such cases, and doing their thing quietly, and perhaps even under Windows — domestic bezopasnym this crap often goes in the head