Often, people want to arrange their RCPT ACL something like this:

Accept anything locally generated:
accept hosts = :

Accept anything from authenticated users:
accept authenticated = *

Accept anything from the local network:
accept hosts = +local_network

Here you have to decide what "local_network" means - for example, you might want to define it as 192.168.0.0/16

Reject non-local domains:
deny domains = !+local_domains
message = Relaying denied

This is what stops your Exim from being an open relay. Again, you have to decide what local_domains means.

Reject invalid recipients:
require verify = recipient

This causes Exim to check that the recipient is routeable. For example, bob@your.example.com might exist, but lktjnho@your.example.com might not. Using verify = recipient, in conjunction with the right router configuration, causes Exim to reject the bad addresses at RCPT time.

If you want to add extra checks (such as consulting DNS blacklists, or rejecting "bounce" messages with large numbers of recipients), this would be a good place to do add them.
   

Accept the rest:
accept

As long as you don't configure Exim to be an open relay, the details are entirely up to you.