Drops mail between domains on the same server

Hello,
The server hosts two mail domains, example. com and test .net.
When accessing smtp from one domain to another, an error is obtained
2023-01-24 10:42:07 H=smtp.mail. com [xx.xx.xxx.xx] X=TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256 CV=no F=<not@example. com> rejected RCPT < info@test. net>: smtp auth required

This happens because of this policy:
deny message = smtp auth required
sender_domains = +local_domains
!authenticated = *

If we change this policy:
deny message = smtp auth required
sender_domains = !+local_domains
!authenticated = *
Then mail works and example. com can send mail to test. net

But I don’t understand the meaning of this policy.
Changing this policy makes the server vulnerable from the outside, or it only affects the behavior of the server’s mail domains.

On the forum I found a record that an open relay will turn out.

Can you provide more information on this policy?

I don’t have any issues with send email internal via Webmail.

On the server between domains mail goes.
It turns out that the letter is sent from another mail server with a different email address, but [email protected] is substituted in the header. Such a letter should go to the [email protected] mailbox. But it does not get there, since the policy from my first post prohibits it.

So I want to understand how this policy works:
deny message = smtp auth required
sender_domains = +local_domains
!authenticated = *

and what can threaten the server if it is changed to:
deny message = smtp auth required
sender_domains = !+local_domains
!authenticated = *

I’m also not having any problems sending mail between local domains on the same machine.

The config lines you mention come in the acl_check_rcpt block. I wonder where exim thinks its sending things. Try “exim -bt [email protected]” and it will tell you what its trying to do. There may be a clue.

In the headers of the letter I see the following information

Received: from smtp.mail. com([xx.xx.xxx.xx])
         by test.net with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
         (Exim 4.90_1)
         (envelope-from <not@example. com>)
         id 1pIZ9b-jse13x8-1z
         for info@test. net; Thu, 19 Jan 2023 20:56:47 +0300
To: info@test. net

Address spoofing envelope-from <not@example. com>
but these are all legitimate servers and such a substitution is necessary.