让我们深入了解为 SparkPost 信号设置PowerMTA 的细节。您需要

• 运行PowerMTA 最新版本的主机--可以是新主机，也可以是现有主机

• A SparkPost account with API key permission for “Incoming Events: Write” 如这里所述

我们将设置PowerMTA ，将事件流传输到您的 SparkPost 账户，然后您就可以使用以下功能：

• 健康评分

• 参与率

• 垃圾邮件陷阱监控

• Summary report

• 蹦蹦跳跳 report

• 已接受 report

• 延迟 report

• 活动搜索

Firstly, install (or upgrade) to PowerMTA 5.0 r4 or later, following the 通常的v5.0安装说明 which are pretty straightforward. Then we’ll work through the following steps:

• 配置PowerMTA 连接器 to 星火邮政的信号

• 用自定义跟踪域设置参与度跟踪

• 选择要向信号报告的PowerMTA 流量流

• 测试你的事件是否达到了信号

• 审查如何使用有意义的名称，以便在报告中很好地显示出来。

我们还将介绍在我们的信号演示中使用的其他具体的PowerPMTA设置方面。

• FBL事件（垃圾邮件投诉）和远程（带外）弹出事件

• 注入配置，包括DKIM

• FBL和OOB配置

• VirtualMTA的设置和命名（以及如何在你的SparkPost信号报告中出现）。

Finally, there’s a “bonus feature” with code to ensure your campaign names are compatible with PowerMTA X-Job  name conventions.

Configure PowerMTA connector

ǞǞǞ Signals configuration is described in the 5.0用户指南第10.1节. Here we’ll start with “Use Case #2”, which enables Signals for all traffic from this PowerMTA host, and enable SparkPost engagement tracking.

# # SparkPost Signals # <signals> api-key ##my ingest API key here## 上传-url https://api.sparkpost.com/api/v1/ingest/events 日志-verbose true 最小自由空间 1G engagement-tracking sparkpost # this turns on the open and click tracking in PowerMTA customer-id 123 # Your SparkPost account number here </signals> 启用信号 true

下面是每个属性的作用。

api-key

这对您的SparkPost账户来说是独一无二的，这是您之前从SparkPost得到的价值。

上传-url

这需要与您的SparkPost API服务的地址相匹配，无论它是美国还是欧盟。更多信息请看这里。通常的值是。

SparkPost（美国）：https://api.sparkpost.com/api/v1/ingest/events

SparkPost EU:    https://api.eu.sparkpost.com/api/v1/ingest/events

日志-verbose

这条指令是可选的，启用后会在pmta.log文件中提供更多信息，这在安装过程中可能很有用，可以确认一切工作正常。每分钟，甚至在没有流量的时候，你会看到。

2019-07-26 11:47:57 信号。发现了0个文件

有了流量，你会看到类似的情况。

2019-07-26 11:50:57 信号。发现sp1-0000000000003FBD.json 2019-07-26 11:50:57 信号。成功转移了sp1-000000003FBD.json。2019-07-26 11:50:57 信号。发现1个文件，成功转移1个文件

最小自由空间

当磁盘空间不足时，它会告诉PowerMTA 开始删除最旧 SparkPost JSON 事件文件的磁盘空间阈值，以便为新文件腾出空间。

启用信号

This tells PowerMTA to upload to Signals, in this case globally for all traffic (more info 在这里，对于v5.0). You can be more selective about what traffic streams to upload if you wish.

You can also mark particular PowerMTA traffic to be reported as belonging to a SparkPost subaccount – this is another way to distinguish one particular traffic stream from another.

参与跟踪，客户ID
PowerMTA’s Engagement Tracking solution defaults 到 tracking domain for the SparkPost US-hosted service. You specify your SparkPost numeric customer ID; here’s 寻找的指示.

追踪-域名

对于SparkPost欧盟账户，添加以下一行。

tracking-domain pmta.eu.spgo.io # 这是SparkPost EU的端点。

自定义跟踪域

如果你愿意使用你自己的跟踪域名（从交付能力的角度来看，这样做更好），请做以下工作。

• Create tracking domain with your DNS provider by creating a CNAME record. This will usually be a subdomain of your top-level domain, e.g. track.mycompany.com .

track.mycompany.com CNAME pmta.spgo.io # 如果您有SparkPost美国账户 track.mycompany.com CNAME pmta.eu.spgo.io # 如果您有SparkPost欧盟账户

You can also use HTTPS tracking domains, although this is more involved (see SparkPost configuration steps here).

• Register tracking domain in your SparkPost account, and 验证它. Wait a few minutes before trying this, to allow your DNS changes to propagate through the Internet, depending on your DNS provider.

• 配置PowerMTA 以使用该域，而不是默认域，方法是

tracking-domain yourdomain.com # 把你自己的域名放在这里

你可以通过查看邮件的内部结构（在Gmail中，使用右上角的菜单，选择 "显示原件"），检查你交付的邮件是否添加了 "打开像素 "和链接。

You’ll notice the open pixels 在 beginning and end of the HTML in the email. Each HTML link is also changed to have REF  pointing 到 tracking domain.

这就是让 SparkPost 信号与PowerMTA内置的 "参与跟踪 "配合使用所需的一切。

防止你的html电子邮件中的特定链接被跟踪

You can prevent PowerMTA from tracking specific links, by setting the custom attribute data-msys-clicktrack  to “0”  :

<a href="#" data-msys-clicktrack="0">Example</a>

PowerMTA 将不会封装链接。它还会在向收件人发送信息之前移除该属性。

选择要向信号报告的PowerMTA 流量流

你可以选择要激活的信号。

• 在全球范围内（这就是我们在上述例子中所使用的）。

• 对于某些虚拟MTA，而不是其他的

• 对于某些虚拟MTA池，而不是其他的虚拟MTA池

• 对于PowerMTA 中转的特定 "发件人 "或 "发件人 "地址，结合虚拟 MTA / 虚拟 MTA 池选择

This configuration is very powerful and is illustrated through a series of 使用案例（5.0版）。 in the User Guide.

测试你的事件是否达到了信号

下面是连接到PowerMTA 的 SparkPost Signals 的视图。您可以看到健康分数在变化。

活动名称与子账户、IP池、邮箱提供者和发送域一起作为报告面提供。

除了查看PowerMTA 日志外，您还可以查看信号集成屏幕，检查事件数据是否到达 SparkPost。

In your SparkPost 活动搜索 screen, you should see events appear within a few minutes. These will include Injection and Delivery events, as well as Bounce, and potentially Out-of-Band Bounce and Spam Complaint events, if you’ve already configured PowerMTA to handle those for you.
If you have Engagement Tracking enabled, you will also see open , initial_open , and click  events.

使用有意义的名称，在报告中显示良好

Setting up the PowerMTA VirtualMTA Pool names and Job names to be meaningful and human-readable is well worth doing. These show up directly in your SparkPost Signals facets and the 简要报告.

如前所述，您无需在 SparkPost 账户中创建这些池。SparkPost 会从PowerMTA 配置中获取它们。

以下是PowerMTA 配置术语如何转换为 SparkPost 术语。

PowerMTA termSparkPost 报告/信号 termRecipient Domain
(domain portion of “rcpt” field in Accounting file).Recipient DomainǞǞǞ domain portion of the “Sender” or “From” header in the message relayed by PowerMTA.
(domain portion of “orig” in Accounting file).Sending DomainVirtualMTA (name)—VirtualMTA Pool (name)
(“vmtaPool” in accounting file)IP Pool (name)smtp-source-host a.b.c.d
(“dlvSourceIp” in accounting file)Sending IP a.b.c.dJob (name)
(“jobId” in accounting file)Campaign ID (name)—Template (name)“Subaccount” is not a native PowerMTA concept.

不过，PowerMTA 可以用子账户 ID 标记 virtualMTAs、虚拟 MTA 池或 Sender-or-From 域，以便 SparkPost 进行报告。

子账户ID（号码）FBL（事件）垃圾邮件投诉（事件）远程弹出（事件）带外弹出（事件）

Setting up at least one smtp-source-host  address also enables SparkPost to correctly identify the sending IP address so that it shows up on Injection and Delivery events, as well as in the 简要报告 view.

Job names are set in PowerMTA via a header in the injected message. As well as enabling individual job control (pause/resume etc) which is useful in itself, PowerMTA passes the names through to SparkPost Signals reporting as “campaign ID”. See User Guide v5.0 第 12.8 节 "在PowerMTA 中使用 JobID 跟踪活动".

There are a few things to be aware of regarding job naming. While SparkPost (with JSON format, and JSON escaping) allows characters such as <SPACE>  in campaign names, mail headers are more restrictive. Valid characters allowed in the X-Job  header are:

A-Za-z0-9!#$%&'()*+,-./:;<=>?@[\]^_{|}~ 

In other words, disallowed characters include <SPACE>, double-quotes “  and backtick `. If you’re used to working with X-Job names, this won’t be surprising, and your campaign ID names will “just work” on SparkPost reporting. If like me, you learned SparkPost first, you might want a tool to ensure your X-Job values are safe; see the bonus feature 在 end of 本条.

FBL事件（垃圾邮件投诉）和远程（带外）弹出事件

PowerMTA 可以接收并处理 FBL 事件（在 SparkPost 中称为垃圾邮件投诉事件）和远程退件（在 SparkPost 中称为带外退件，因为回复是在一段时间后返回的，而不是在 SMTP 对话期间）。

There are articles in the Port25 支持 Forum on how to set up the 弹跳处理器 and the FBL处理器. If you are an existing PowerMTA user, you probably already have these.

以下是我根据这些文章为一个演示所做的配置，主要用于在 Amazon EC2 中托管PowerMTA 。

如果您熟悉PowerMTA 这方面的配置，可以跳过这部分，直接进入下一条水平线。

注射配置

我们将使用端口587来注入信息，这些信息将通过公共互联网从另一个主机上传来。我们需要阻止坏人发现和滥用这项服务，所以我们应用用户名/密码认证和可选的TLS，类似于SparkPost SMTP注入端点。

我们希望能够从经过适当认证的来源发送消息到任何目的地。我们还希望在25端口有一个单独的监听器，用于不需要认证的FBL和远程弹出响应。

# 听取传入SMTP连接的IP地址和端口 # smtp-listener 0.0.0.0:587 smtp-listener 0.0.0.0:25

In the following <source>  declarations, we’re using username/password authentication and optional TLS to defend against rogue message injection. We also set rate limits on connections making failed password attempts.

您的设置可能有所不同；例如，如果注入器和PowerMTA 之间有专用网络，就不需要密码验证。

# One source rule for all injection, internal or external. Enforce auth, except for bounces and FBLs # <source 0/0> log-connections false log-commands false # WARNING: verbose! just for dev log-data false # WARNING: even more verbose! smtp-service true # allow SMTP service smtp-max-auth-failure-rate 1/min allow-unencrypted-plain-auth false allow-starttls true rewrite-list mfrom </source> <source {auth}> always-allow-relaying yes # only if the auth succeeds default-virtual-mta default process-x-job true </source>

The <source {auth}>  declaration (见这里。 v5.0) applies once authentication has passed. Here, it allows onward relaying, sets up the default virtual MTA group to use, and adds the X-Job header (which will be reported by SparkPost Signals as campaign_id).

重写列表将注入的信息映射到使用一个特定的MAIL FROM域（又称反弹域或Return-Path:）。

# # Rewrite the MAIL FROM address to match the bounce domain # <rewrite-list mfrom> mail-from *@pmta.signalsdemo.trymsys.net *@bounces.pmta.signalsdemo.trymsys.net </rewrite-list>

Then we set up our TLS配置 and SMTP username / password, according to 当前建议.

# # Secure the inbound service with username, password and TLS. SMT 2020-06-15 # smtp-server-tls-certificate /etc/pmta/pmtasignalsdemo.pem smtp-server-tls-allow-tlsv1 false smtp-server-tls-allow-tlsv1.1 false smtp-server-tls-allow-tlsv1.2 true smtp-server-tls-allow-tlsv1.3 true # # SMTP users (authenticated via SMTP AUTH) # <smtp-user SMTP_Injection> password ##PUT YOUR PASSWORD HERE## authentication-method password </smtp-user>

We can check that the (insecure, 废弃的) TLS v1.0 is not accepted using my favorite SMTP test tool,  swaks.

swaks --server pmta.signalsdemo.trymsys.net --port 587 --to test@trymsys.net --from any@sparkpost.com --tls --tls-protocol tlsv1

我们看到。

*** TLS启动失败（connect(): error:000000:lib(0):func(0):reason(0)） *** STARTTLS尝试但失败了

Likewise for -tls-protocol tlsv1_1.

Let’s also apply DKIM signing on our outgoing messages, as it’s good practice (I followed 这些指示 to set up the key).

# DKIM # 域名-密钥 mypmta, pmta.signalsdemo.trymsys.net, /etc/pmta/mypmta.pmta.signalsdemo.trymsys.net.pem

FBL和OOB配置

Now .. finally .. we declare which specific domains are open for remote bounce and FBL responses. We don’t want to relay those anywhere (to prevent 反散射攻击), just internally process those responses.

# # Enable Bounce and FBL processing on specific domains # relay-domain pmta.signalsdemo.trymsys.net relay-domain bounces.pmta.signalsdemo.trymsys.net relay-domain fbl.pmta.signalsdemo.trymsys.net <bounce-processor> deliver-unmatched-email no deliver-matched-email no <address-list> domain pmta.signalsdemo.trymsys.net domain bounces.pmta.signalsdemo.trymsys.net </address-list> </bounce-processor> <feedback-loop-processor> deliver-unmatched-email no deliver-matched-email no <address-list> domain fbl.pmta.signalsdemo.trymsys.net </address-list> </feedback-loop-processor>

You can see I set up two bounce domains, as I was playing around with using/not using the mfrom  rewrite rule.

The FBL domain is usually then registered with external services such as 微软SNDS; see this article for more information. For this demo, the FBLs will be coming from the 蹦蹦跳跳的水槽, so no need to register.

测试SMTP听众

重要的是要测试你的SMTP接听者是否要求对任何一般的目的地进行授权，拒绝任何没有特别针对FBL和远程弹出域的邮件。

swaks --server pmta.signalsdemo.trymsys.net --port 25 --to test@strange.pmta.signalsdemo.trymsys.net --from any@sparkpost.com

响应，正如预期的那样，显示中继被拒绝。

550 5.7.1 relaying denied for recipient in "RCPT TO:<test@strange.pmta.signalsdemo.trymsys.net>

(演示设置说明结束）。

VirtualMTA的设置和命名

PowerMTA VirtualMTA （和 VirtualMTA 池）是管理消息流的强大功能，PowerMTA / SparkPost Signals 报告功能与这些活动配合使用效果最佳。

# # Route all outgoing traffic through this virtual mta / pool. # Declare the delivery IP address here, so that SparkPost signals ingest injection (aka "reception") events # will carry the correct sending_IP attribute # <virtual-mta mta1>     smtp-source-host 172.31.25.101 pmta.signalsdemo.trymsys.net </virtual-mta> <virtual-mta-pool default>     virtual-mta mta1     <domain *>         max-smtp-out    20       # max. connections *per domain*         bounce-after    4d12h    # 4 days, 12 hours         retry-after     10m      # 10 minutes         dkim-sign       yes     </domain> </virtual-mta-pool>

The virtual-mta-pool  setting is reported in SparkPost as “IP Pool”, and is available as a SparkPost Signals reporting facet (the drop-down menu underneath the charts).

摘要报告还显示IP池为 "分组 "报告面。

As noted earlier in this article, setting up at least one  smtp-source-host address also enables SparkPost to correctly identify the sending IP address, so that it shows up on Injection and Delivery events, and on the Summary Report:

That’s all you need to get a basic integration working between PowerMTA and SparkPost Signals. You’ll find the 完整的配置文件例子在这里.

在你走之前，这里有我提到的奖励功能。

奖励功能。X-Job名称检查/过滤

To ensure any character string is safe for use as a PowerMTA X-Job  name, here’s a simple Python function to map any unsafe characters to an underscore “_”

import re def pmtaSafeJobID(s):    """    :param s: str    :return: str    Map an arbitrary campaign ID string into allowed chars for PMTA X-Job header.    See https://download.port25.com/files/UsersGuide-5.0.html#tracking-a-campaign-in-powermta-with-a-jobid    Specifically disallow <sp> " ` but allow through most other chars.    """    # Note have to escape ' - [ ] and double-escape \ - see https://docs.python.org/3/library/re.html    disallowedChars = '[^A-Za-z0-9!#$%&\'()*+,\-./:;<=>?@\[\\\\\]^_{|}~]'    return re.sub(disallowedChars, '_', s)

This uses Python正则表达式 in a specific way. It declares the set of disallowed characters using the “set complement” operator ^ rather than list all allowed chars. That means we catch (and make safe) characters beyond the usual 7-bit set. We can show that using this test fragment:

s='' for i in range(32, 256): s += chr(i) print(pmtaSafeJobID(s) )

给予

_!_#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^__abcdefghijkl mnopqrstuvwxyz{|}~___________________________________________________________ ______________________________________________________________________

You can see that <SPACE>, double-quotes “, and backtick `, as well as all characters beyond ~ are mapped to underscore.