specify a maximum message size for host that are relayed:

in acl/30_exim4-config_check_rcpt:

  accept
    hosts = +relay_from_hosts
    control = submission/sender_retain
    control = dkim_disable_verify
    # no size limit checking -- use a max_message_size
    set acl_m_size = ${readfile{CONFDIR/max_message_size}{}}

this expects a file named CONFDIR/max_message_size to be present an containing a reasonable limit in bytes.

limit the message size on a per domain setting expects CONFDIR/message_size to exist and respects settings in CONFDIR/virtual/<DOMAIN>/message_size.

in acl/30_exim4-config_check_rcpt:

  require
    verify = recipient
    # set acl_m_size to the mail size limit of the domain (to be evaluated later
    # in the data acl.
    set acl_m_size = ${if exists{CONFDIR/virtual/$domain/message_size} \
                             {${readfile{CONFDIR/virtual/$domain/message_size}{}}} \
                             {${readfile{CONFDIR/message_size}{}}}}

in acl/40_exim4-config_check_data add the following:

  # check message size
  # acl_m_size gets set to the maximum message size for the domain or the
  # default setting in rcpt acl.
  deny
    message = Message size $message_size is larger than the limit of $acl_m_size bytes
    condition = ${if >{$message_size}{$acl_m_size} {yes}{no}}

you should add this block before checking for viruses and/or spam because the operation is way more inexpensive than the others…