421 Service Unavailable — SMTP Connection Refused
الأعراض
- Mail queue building up with deferred messages showing `421 4.7.0 Try again later`
- Postfix log: `host mail.example.com[1.2.3.4] said: 421 Too many concurrent connections`
- Intermittent delivery — some messages succeed, others defer and retry
- Sendmail queue shows messages repeatedly retrying with exponential backoff
- Recipients report delayed or missing email during peak sending periods
- Postfix log: `host mail.example.com[1.2.3.4] said: 421 Too many concurrent connections`
- Intermittent delivery — some messages succeed, others defer and retry
- Sendmail queue shows messages repeatedly retrying with exponential backoff
- Recipients report delayed or missing email during peak sending periods
الأسباب الجذرية
- Greylisting on the receiving server — first delivery attempt from unknown IP is deferred
- Sending server is opening too many simultaneous connections, triggering rate limiting
- Sending IP has a low reputation score; receiving server applies throttling
- Receiving mail server is temporarily overloaded or under maintenance
- ISP or receiving domain imposes per-IP connection concurrency limits
التشخيص
**Step 1 — Check your mail queue**
```bash
# Postfix
mailq | head -40
postqueue -p | grep '421'
# Exim
exim -bp | grep 421
```
**Step 2 — Inspect SMTP logs for the specific 421 message**
```bash
grep '421' /var/log/mail.log | tail -30
# Look for: greylisting, too many connections, rate limit, service unavailable
```
**Step 3 — Test direct SMTP connectivity**
```bash
telnet mail.recipient.com 25
EHLO yourdomain.com
# If you immediately get 421, the server is refusing your IP
# If the connection hangs, firewall or port 25 blocking is likely
```
**Step 4 — Check your IP reputation**
```bash
# Look up your sending IP on blacklist checkers
# MXToolbox: https://mxtoolbox.com/blacklists.aspx
curl -s 'https://api.mxtoolbox.com/api/v1/Lookup/blacklist/?argument=1.2.3.4'
# Check reverse DNS (PTR record)
dig -x 1.2.3.4 +short
# Should resolve to a FQDN matching the sending domain
```
**Step 5 — Identify greylisting vs rate limiting**
If the message delivers successfully on the second or third attempt (30–60 min later), it is almost certainly greylisting. Rate limiting produces consistent 421 responses regardless of retry interval.
```bash
# Postfix
mailq | head -40
postqueue -p | grep '421'
# Exim
exim -bp | grep 421
```
**Step 2 — Inspect SMTP logs for the specific 421 message**
```bash
grep '421' /var/log/mail.log | tail -30
# Look for: greylisting, too many connections, rate limit, service unavailable
```
**Step 3 — Test direct SMTP connectivity**
```bash
telnet mail.recipient.com 25
EHLO yourdomain.com
# If you immediately get 421, the server is refusing your IP
# If the connection hangs, firewall or port 25 blocking is likely
```
**Step 4 — Check your IP reputation**
```bash
# Look up your sending IP on blacklist checkers
# MXToolbox: https://mxtoolbox.com/blacklists.aspx
curl -s 'https://api.mxtoolbox.com/api/v1/Lookup/blacklist/?argument=1.2.3.4'
# Check reverse DNS (PTR record)
dig -x 1.2.3.4 +short
# Should resolve to a FQDN matching the sending domain
```
**Step 5 — Identify greylisting vs rate limiting**
If the message delivers successfully on the second or third attempt (30–60 min later), it is almost certainly greylisting. Rate limiting produces consistent 421 responses regardless of retry interval.
الحل
**Fix 1 — Wait and retry (greylisting)**
Greylisted messages are automatically retried by well-configured MTAs. Ensure your Postfix retry schedule is not too aggressive:
```ini
# /etc/postfix/main.cf
minimal_backoff_time = 300s
maximal_backoff_time = 4000s
maximal_queue_lifetime = 5d
```
**Fix 2 — Reduce connection concurrency**
```ini
# /etc/postfix/main.cf — limit concurrent connections per destination
smtp_destination_concurrency_limit = 2
smtp_destination_rate_delay = 1s
smtp_extra_recipient_limit = 10
```
**Fix 3 — Improve IP reputation**
Ensure your sending IP has correct PTR, SPF, DKIM, and DMARC records:
```bash
# Verify PTR resolves forward
HOST=$(dig -x 1.2.3.4 +short)
dig $HOST +short
# Must return 1.2.3.4
```
**Fix 4 — Use a dedicated ESP for bulk sending**
Route transactional email through SES, SendGrid, or Mailgun to leverage their warmed IP pools and avoid direct IP reputation issues.
Greylisted messages are automatically retried by well-configured MTAs. Ensure your Postfix retry schedule is not too aggressive:
```ini
# /etc/postfix/main.cf
minimal_backoff_time = 300s
maximal_backoff_time = 4000s
maximal_queue_lifetime = 5d
```
**Fix 2 — Reduce connection concurrency**
```ini
# /etc/postfix/main.cf — limit concurrent connections per destination
smtp_destination_concurrency_limit = 2
smtp_destination_rate_delay = 1s
smtp_extra_recipient_limit = 10
```
**Fix 3 — Improve IP reputation**
Ensure your sending IP has correct PTR, SPF, DKIM, and DMARC records:
```bash
# Verify PTR resolves forward
HOST=$(dig -x 1.2.3.4 +short)
dig $HOST +short
# Must return 1.2.3.4
```
**Fix 4 — Use a dedicated ESP for bulk sending**
Route transactional email through SES, SendGrid, or Mailgun to leverage their warmed IP pools and avoid direct IP reputation issues.
الوقاية
- Warm up new sending IPs gradually: start at 50 emails/day, double weekly
- Always configure PTR (reverse DNS), SPF, DKIM, and DMARC before sending
- Implement connection rate limiting per destination in your MTA config
- Monitor your sending IP against major blacklists daily using automated tools
- Use a dedicated IP for transactional vs bulk email to isolate reputation
- Always configure PTR (reverse DNS), SPF, DKIM, and DMARC before sending
- Implement connection rate limiting per destination in your MTA config
- Monitor your sending IP against major blacklists daily using automated tools
- Use a dedicated IP for transactional vs bulk email to isolate reputation