Exim: Force email auth for users of local domains

I'm configuring exim4 for virtual users with dovecot and postgresql and I got a problem I cannot resolve, the situation is this:

I need that when a 'localdomain' user tries to send a email to another 'localdomain' user or foreign user, needs to authenticate, otherwise refuse the operation.

Practically I'm trying to avoid any type of smtp open relay.

Actually the smtp works fine, just need to set that requirement, and I can't find the correct way of how I can configure exim correctly for get this behavior (Is a acl or route or transport rule?)

How could I define this configuration?

Example 1

220 my-server ESMTP Exim 4.84 Thu, 31 Mar 2016 22:26:28 +0000
ehlo localhost
250-my-server Hello localhost [192.168.1.X]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-AUTH PLAIN LOGIN
250 HELP
mail from: a@my-server.com
250 OK
rcpt to: b@my-server.com
250 Accepted
data 
354 Enter message, ending with "." on a line by itself
this must not happen, the user 'a@my-server.com' is not authenticated,
he must not be able to send any message yet until of use 
of 'auth login' or 'auth plain' because is a user of local domains.
.
250 OK id=1all3Q-0004l2-V4

Example 2

220 my-server ESMTP Exim 4.84 Thu, 31 Mar 2016 22:58:56 +0000
ehlo localhost
250-my-server Hello localhost [192.168.1.X]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-AUTH PLAIN LOGIN
250 HELP
mail from: a@anotherserver.com
250 OK
rcpt to: user@my-server.com
250 Accepted
data
354 Enter message, ending with "." on a line by itself
this is already valid.
.
250 OK id=1allZR-00050E-Sq

ACL RCPT-TO Config File

acl_check_rcpt:
  accept
    hosts = :
    control = dkim_disable_verify

  .ifdef CHECK_RCPT_LOCAL_LOCALPARTS
  deny
    domains = +local_domains
    local_parts = CHECK_RCPT_LOCAL_LOCALPARTS
    message = restricted characters in address
  .endif

  deny
    domains = !+local_domains
    local_parts = CHECK_RCPT_REMOTE_LOCALPARTS
    message = restricted characters in address
  .endif

  accept
    .ifndef CHECK_RCPT_POSTMASTER
    local_parts = postmaster
    .else
    local_parts = CHECK_RCPT_POSTMASTER
    .endif
    domains = +local_domains : +relay_to_domains

  .ifdef CHECK_RCPT_VERIFY_SENDER
  deny
    message = Failed!
    !acl = acl_local_deny_exceptions
    !verify = sender
  .endif

  deny
    !acl = acl_local_deny_exceptions
    senders = ${if exists{CONFDIR/local_sender_callout}\
                         {CONFDIR/local_sender_callout}\
                   {}}
    !verify = sender/callout

  accept
    hosts = +relay_from_hosts
    control = submission/sender_retain
    control = dkim_disable_verify

  accept
    authenticated = *
    control = submission/sender_retain
    control = dkim_disable_verify

  require
    message = Relay denied!
    domains = +local_domains : +relay_to_domains

  require
    verify = recipient

  deny
    !acl = acl_local_deny_exceptions
    recipients = ${if exists{CONFDIR/local_rcpt_callout}\
                            {CONFDIR/local_rcpt_callout}\
                      {}}
    !verify = recipient/callout

  deny
    message = sender envelope address $sender_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster
    !acl = acl_local_deny_exceptions
    senders = ${if exists{CONFDIR/local_sender_blacklist}\
                   {CONFDIR/local_sender_blacklist}\
                   {}}

  deny
    message = sender IP address $sender_host_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster
    !acl = acl_local_deny_exceptions
    hosts = ${if exists{CONFDIR/local_host_blacklist}\
                 {CONFDIR/local_host_blacklist}\
                 {}}

  accept
    domains = +relay_to_domains
    endpass
    verify = recipient

  accept