Part of the beauty of our own IP address space is security provided by knowing your neighbors. I'd never run an open SIP or mail server on the wide internet anymore. Spam filtering is a big headache.

Again, I'd firewall everyone but us for the mail port:

iptables -A INPUT -s ! 44.0.0.0/8 -p tcp --dport 25 -j DROP

If you have a google apps account (free for non profits) you can use them as a mail exchanger.

Set your DNS records, to something like this:

gvcity.ampr.org MX 10 gvcity gvcity.ampr.org MX 20 aspmx.l.google.com

Outside (non 44 net) IP will timeout with a direct connect to 44.2.14.1 and will move try the next exchanger preference, in this case google.

Google will accept the mail on your behalf, and they have good spam filtering (better than I could ever figure out how to incorporate with sendmail) and then I typically use fetchmail to transfer the mail from google back into my local mailboxes.

If someone else wants to document a mailserver setup with spam protection, I'm all eyeballs on that one. I'm sure a number of people would appreciate that tutorial.