Make sure that your smtp server supports SSL (even if you don't have a certificate), it should do STARTTLS to SMTP servers that support it.
For debian stable, install the "exim-tls" package. For debian testing/unstable, exim already supports tls by default.
IF you have an SSL certificate, then make sure that exim knows about it (and that your MX?'s match the name on the certificate!) so that incoming connections can be SSL encrypted if necessary.
If you relay for other machines, you should set up ssmtp (SMTP over SSL) on port 465/tcp. This is important in particular for laptops which may be used at a hotel, cybercafe or over wireless where port 25 outgoing may be blocked. MUAs should be configured to use ssmtp where possible.
Unless you can do challenge response authentication, you should make sure your SMTP server supports SSL as outlined above. The easiest authentication to get working with SMTP is "PLAIN" or "LOGIN" authentication.
Information about configuring this with exim is on EximSmtpAuth
Try not to put your mail server in what people might consider a "dynamic IP" range.
Make sure that you are not using a CNAME? to deliver to. For example mail to "foo@fishbowl.example.com" will not work if "fishbowl.example.com" is a CNAME? to some other machine.
Don't set an MX? to point to an IP address! It won't work. MX's must point to a record which contains an A RR. Not a CNAME?, not anything else.
Make sure that the reverse lookup of your outgoing mailserver exists, make sure has a matching forward record, and where possible, make sure that your HELO?/EHLO? name matches the reverse. Note, that this usually doesn't match the name of the domain you want to recieve mail for.
Use 
http://dnsreport.com/ to verify that your DNS is in good healthy working order.
Attempt to publish a SPF record for your domain.
In general secondary MX?'s have fallen out of favour in recent years as the internet is more reliable and there are techniques for keeping your primary up. (Such as load balancing NAT's.). In general having a secondary is good if your connectivity is unreliable, otherwise it's a pain.
Be aware that spammers regularly send to secondary MX?'s directly to avoid aggressive RBL checks on the primary mailserver. This can be exploited by having a secondary MX? that always returns a 400 series code (temporary failure), or is stricter with it's RBL checks. Another trick is to list your primary mx again as the highest number mx (so that spammers hit that one first)
Regularly check that your backup MX? still correctly relays, you won't notice a backup MX? rejecting mail until the first time your primary goes down and all your mail is immediately bounced (not retried later).
TODO
One page links to SMTPBestPractices:
