Connection error 421 4.7.0 too many errors

[Labsy]

Hi,

is there some new limitation with ZCS 8.8.7, probably nginx limiting connections?
When I try to send BCC mail to 300 recipients, I get Outlook error 421 4.7.0 too many errors. Outlook refuses to connect to IMAP from there on.

[Labsy]

I reviewd the bug reports and found nothing suitable.
Also my external Zimbra FQDN is the same as internal one. But still error 421 is related to SNI support, introduced with Zimbra 8.6, if I am not mistaken.

On the other hand, I found something totaly different, SMTP related:
zimbra code error 421-4.7.0 This message does not have authentication information or fails to pass 421-4.7.0 authentication checks

Any other idea?

[JDunphy]

I reviewd the bug reports and found nothing suitable.
Also my external Zimbra FQDN is the same as internal one. But still error 421 is related to SNI support, introduced with Zimbra 8.6, if I am not mistaken.

On the other hand, I found something totaly different, SMTP related:
zimbra code error 421-4.7.0 This message does not have authentication information or fails to pass 421-4.7.0 authentication checks

Any other idea?

That last message is generally for extra checks you are doing or the receiving MTA is doing. Have you set up SPF, DKIM, etc? Wild guess here given what you are seeing.
I have been thinking about the other problem too. I wonder what happens when a connection pool is exhausted in nginx and no new connections can be established to the backend. You would be able to verify that with some netstat's but really just another wild guess. In theory, there should be some timeout's on those sockets and they should disappear unless you had a constant supply or there was another factor at play like a DoS tool that was dropping connections and leaving partial state. I think its can be up to 8 mins for TCP to back off when closing 1/2 open sockets.

I am using your 8.8+ install to build some operational experience for the future so hope you don't mind me chiming in from time to time even when I don't have a clue.

[Labsy]

Well, this error pops up in my Outlook, when I send mail to all Zimbra users. I guess there are many non-existent accounts on my list, but I expect NDR, not connection refusal.
I've checked - noone received my mail, BCC addressed to all zimbra users.

...but on the other hand, if this is some new feature, which prevents spam outbursts from infected workstations, well...in this case I will accept that.
I just need to know, what's the mechanism beyond:
- is it a malfunction or poorly configured limits?
- or is it protection feature?

[JDunphy]

That makes more sense given that context. Wonder if this could describe what you are seeing.

http://www.postfix.org/postconf.5.html# ... rror_limit

Code: Select all

grep -i error /opt/zimbra/postfix/conf/main.cf 
smtpd_error_sleep_time = 1s
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20
virtual_transport = error

or this way

Code: Select all

postconf -d | egrep '(smtpd_recipient_limit|error_limit)'
smtpd_hard_error_limit = ${stress?{1}:{20}}
smtpd_recipient_limit = 1000
smtpd_soft_error_limit = 10

This has been here for a while however but maybe not with 8.09 where you began. See http://www.postfix.org/STRESS_README.html They also mentioned the hard/soft error with https://wiki.zimbra.com/wiki/Improving_Anti-spam_system at the Simultaneous Connection Throttling section.

[Labsy]

Oh, me stupido... I am a bit ashamed as this was my error - I copy-pasted email addresses from Excel, which forced 'single quotes' with each address, rendering hundreds of address errors on postfix. That's why server disconnected me!

Luckily I have my own handy mail parser, which I wrote in PHP some time ago to clean up large mailing lists of bad characters and duplicates.
Maybe comes handy for someone else, too:
Mail extractor and duplicate remover: https://mailer.secureit.si/email-extract/