Setting up sendmail on a new CentOS7 system -- decided to use the system packages instead of compiling from original source, as I always have before, mostly so I'll get secure and auth SMTP; the myriad dependencies always defeated me before.

yum install sendmail sendmail-cf
# build my config files [long story], install in /etc/mail.
systemctl enable sendmail # enable for reboot
# enable port in firewall:
firewall-cmd --permanent --zone=public --add-service=mail
firewall-cmd --reload
firewall-cmd --list-all

The main additional thing is to set up fail2ban.
I found these rules helpful (thanks), as well as the manual and all. I ended up defining my failregex list since others did not match, or did not match enough. Here they are:

failregex = ^%(__prefix_line)s\w{14}: ruleset=check_rcpt, arg1=.*, relay=.*, reject=550 .* Rejected:  listed .*$

            ^%(__prefix_line)s\w{14}: ruleset=check_rcpt, arg1=.*, relay=(.* )?\[\].*, reject=.*(Domain of sender|Relaying (temporarily )?denied).*$

            ^%(__prefix_line)sruleset=check_relay, arg1=.*, arg2=.*, relay=(.* )?\[\].*, reject=421 .*Connection rate limit.*$

            ^%(__prefix_line)s\w{14}: ruleset=check_mail, arg1=.*, relay=(.* )?\[\].*, reject=55.*$

            ^%(__prefix_line)s\w{14}: rejecting commands from \[\].* due to pre-greeting traffic.*$

            ^%(__prefix_line)s\w{14}: (.* )?\[\].* did not issue MAIL.*$

            ^%(__prefix_line)s\w{14}: .* relay=(.* )?\[\].* \(may be forged\)$

            ^%(__prefix_line)s\w{14}: lost input channel from (.* )?\[\].* to MTA.*$

I put this into /etc/fail2ban/filter.d/sendmail-reject-karl.conf, and then this block in jail.local:

[sendmail-reject-karl]

enabled  = true

port     = smtp,465,submission

logpath  = %(syslog_mail)s

backend  = %(syslog_backend)s

Fingers crossed. Took about seven minutes for the first spammers to show up after I opened the port.

(I don't know why advogato is inserting blank lines in all the pre blocks ... whatever ...)