Setting up sendmail on a new CentOS7 system -- decided to use the system packages instead of compiling from original source, as I always have before, mostly so I'll get secure and auth SMTP; the myriad dependencies always defeated me before.
yum install sendmail sendmail-cf
# build my config files [long story], install in /etc/mail.
systemctl enable sendmail # enable for reboot
# enable port in firewall:
firewall-cmd --permanent --zone=public --add-service=mail
firewall-cmd --reload
firewall-cmd --list-all
The main additional thing is to set up fail2ban.
I found these rules helpful (thanks), as well as the manual and all. I ended up defining my failregex list since others did not match, or did not match enough. Here they are:
failregex = ^%(__prefix_line)s\w{14}: ruleset=check_rcpt, arg1=.*, relay=.*, reject=550 .* Rejected:listed .*$
^%(__prefix_line)s\w{14}: ruleset=check_rcpt, arg1=.*, relay=(.* )?\[\].*, reject=.*(Domain of sender|Relaying (temporarily )?denied).*$
^%(__prefix_line)sruleset=check_relay, arg1=.*, arg2=.*, relay=(.* )?\[\].*, reject=421 .*Connection rate limit.*$
^%(__prefix_line)s\w{14}: ruleset=check_mail, arg1=.*, relay=(.* )?\[\].*, reject=55.*$
^%(__prefix_line)s\w{14}: rejecting commands from \[\].* due to pre-greeting traffic.*$
^%(__prefix_line)s\w{14}: (.* )?\[\].* did not issue MAIL.*$
^%(__prefix_line)s\w{14}: .* relay=(.* )?\[\].* \(may be forged\)$
^%(__prefix_line)s\w{14}: lost input channel from (.* )?\[\].* to MTA.*$
I put this into /etc/fail2ban/filter.d/sendmail-reject-karl.conf, and then this block in jail.local:
[sendmail-reject-karl]
enabled = true
port = smtp,465,submission
logpath = %(syslog_mail)s
backend = %(syslog_backend)s
Fingers crossed. Took about seven minutes for the first spammers to show up after I opened the port.
(I don't know why advogato is inserting blank lines in all the pre blocks ... whatever ...)