How to troubleshoot Postfix 'too many connections' errors after upgrading? - Knowledge Base

Summary

Troubleshooting Postfix 'too many connections' errors after an upgrade requires a comprehensive approach covering configuration parameters, system resources, network settings, and external factors. The key areas to investigate include process limits, concurrency limits, rate delays, TLS settings, DNS resolution, greylisting policies, reverse DNS records, system load, firewall restrictions, queue management, and connection reuse. Examining Postfix's configuration files, monitoring system resources, and seeking community support are also recommended.

Key findings

Process Limits: `default_process_limit` controls the number of concurrent Postfix processes; insufficient limits can cause errors.
Concurrency Limits: `transport_destination_concurrency_limit` restricts connections to a destination; overly restrictive values can trigger errors.
Rate Delays: `destination_rate_delay` helps manage the connection rate, especially if the upgraded Postfix is more aggressive.
TLS Settings: Incorrect TLS configurations (`smtp_tls_security_level`) can lead to connection problems.
DNS Issues: Slow or unreliable DNS resolution increases connection retries.
Greylisting: Aggressive greylisting with short retry windows can increase connection attempts.
Reverse DNS (PTR): Missing or incorrect reverse DNS records can cause connection rejections or delays.
System Load: High system load can slow down Postfix and exacerbate connection issues.
Firewall Restrictions: Firewall rules might be limiting outbound connections.
Queue Management: Backlogged queues can lead to connection spikes.
Connection Reuse: Disabled connection reuse (`smtp_tls_connection_reuse`) results in more new connections.
System Resources: Insufficient system resources (ulimit) can prevent Postfix from establishing connections.

Key considerations

Check Configuration Files: Review main.cf, master.cf, and other relevant configuration files for errors.
Examine Error Logs: Analyze Postfix logs for specific error messages related to connection issues.
Increase Process Limits: Consider increasing `default_process_limit`, but monitor resource usage.
Adjust Concurrency: Review `transport_destination_concurrency_limit` and `initial_destination_concurrency`.
Implement Rate Delays: Use `destination_rate_delay` if the upgraded Postfix is too aggressive.
Configure TLS Properly: Verify correct TLS settings, including `smtp_tls_security_level`.
Optimize DNS Resolution: Ensure fast and reliable DNS resolution.
Review Greylisting Policies: Adjust greylisting settings to avoid excessive connection attempts.
Configure Reverse DNS: Set up a valid reverse DNS (PTR) record for the server.
Monitor System Load: Check CPU, memory, and disk I/O for high load issues.
Adjust Firewall Rules: Ensure the firewall isn't limiting outbound connections.
Manage the Queue: Monitor the Postfix queue using `mailq` and `postqueue -p`.
Enable Connection Reuse: Ensure `smtp_tls_connection_reuse = yes`.
Adjust Ulimit Settings: Check and increase system resource limits (ulimit).
Seek Community Support: Consult the postfix-users mailing list or online forums for assistance.

What email marketers say
12Marketer opinions

Troubleshooting 'too many connections' errors in Postfix after upgrading involves examining multiple configuration aspects. Key areas include connection limits (`maxproc` in `master.cf`, `initial_destination_concurrency`), resource limits (system ulimit), DNS resolution, TLS settings, firewall restrictions, queue monitoring, connection reuse (`smtp_tls_connection_reuse`), greylisting, reverse DNS records, and overall system load. The errors can also be linked to software bugs with new Postfix releases.

Key opinions

Connection Limits: Incorrect settings for `maxproc` or `initial_destination_concurrency` can exhaust available connections.
Resource Limits: System-level resource limits (ulimit) can prevent Postfix from opening necessary connections.
DNS Issues: Slow or incorrect DNS resolution can lead to increased connection attempts.
TLS Configuration: Incorrect TLS settings might cause connection problems.
Firewall Restrictions: Firewall rules could be limiting outbound connections from the Postfix server.
Queue Backlog: A large queue backlog can lead to connection spikes.
Connection Reuse: Disabled connection reuse (`smtp_tls_connection_reuse`) results in more connections being created.
Greylisting: Overly aggressive greylisting can increase connection retries.
Reverse DNS: Missing or incorrect reverse DNS records can cause connection delays or rejections.
System Load: High system load can slow down Postfix and exacerbate connection issues.

Key considerations

Check `maxproc`: Ensure the `maxproc` setting in `master.cf` isn't too restrictive for the current workload.
Adjust Concurrency: Review and adjust `initial_destination_concurrency` to optimize connection handling.
Verify Ulimit: Check system resource limits (ulimit) and increase them if necessary.
Test DNS Resolution: Confirm DNS is resolving quickly and accurately.
Review TLS Settings: Ensure `smtp_tls_security_level` and related parameters are correctly configured.
Examine Firewall Rules: Verify the firewall isn't limiting outbound connections.
Monitor the Queue: Use `mailq` and `postqueue -p` to identify any backlogs.
Enable Connection Reuse: Ensure `smtp_tls_connection_reuse = yes` is set.
Review Greylisting: Adjust greylisting settings if they are too aggressive.
Configure Reverse DNS: Make sure the server has a valid reverse DNS (PTR) record.
Monitor System Load: Check CPU, memory, and disk I/O to identify high load issues.

Marketer view

Email marketer from Geekflare explains that overly aggressive greylisting can cause senders to retry frequently, increasing the number of connections. Review your greylisting configuration.

April 2023 - Geekflare

Marketer view

Email marketer from EmailAdminBlog.com recommends checking and adjusting Postfix's `initial_destination_concurrency`. They explain that a low initial concurrency setting could lead to quicker exhaustion of available connections.

June 2023 - EmailAdminBlog.com

Marketer view

Email marketer from LinuxBabe.com responds with the recommendation to monitor the Postfix queue using `mailq` and `postqueue -p`. This allows you to identify if there's a backlog of messages causing the connection spikes.

December 2024 - LinuxBabe.com

Marketer view

Email marketer from DigitalOcean responds that it's important to verify that the firewall isn't limiting the number of outbound connections from the Postfix server. He shares that iptables or firewalld could be restricting connections.

June 2024 - DigitalOcean

What the experts say
4Expert opinions

Troubleshooting 'too many connections' errors in Postfix involves examining configuration files, error messages, greylisting settings, and DNS resolution. Configuration files need to be checked, and it's important to differentiate between inbound and outbound settings. Aggressive greylisting and DNS issues are major factors.

Key opinions

Configuration Review: Configuration files should be checked, along with the exact errors being received, to identify misconfigurations.
Inbound vs. Outbound Settings: `smtpd_junk_command_limit` affects inbound mail, not outbound concurrency issues.
Aggressive Greylisting: Aggressive greylisting with a short retry window can lead to increased connection attempts.
DNS Resolution: Slow or unreliable DNS resolution leads to more connection retries.

Key considerations

Examine Config Files: Check configuration files and error logs.
Understand Settings: Understand the difference between inbound and outbound configuration settings.
Adjust Greylisting: Review and adjust greylisting settings to avoid excessive connection attempts.
Optimize DNS: Ensure fast and reliable DNS resolution.

Expert view

Expert from Spam Resource explains that aggressive greylisting combined with a short retry window can increase connection attempts and trigger 'too many connections' errors in Postfix.

September 2022 - Spam Resource

Expert view

Expert from Email Geeks explains that `smtpd_junk_command_limit` is an inbound mail setting and wouldn't affect outbound concurrency.

June 2021 - Email Geeks

Expert view

Expert from Email Geeks suggests checking the configuration file and the exact errors received. He also suggests asking the postfix-users mailing list for assistance.

July 2024 - Email Geeks

Expert view

Expert from Word to the Wise explains that slow or unreliable DNS resolution can cause Postfix to retry connections more often, potentially leading to 'too many connections' errors. He shares to always check DNS settings and ensure fast resolution times.

April 2021 - Word to the Wise

What the documentation says
3Technical articles

Troubleshooting 'too many connections' errors in Postfix after upgrading involves examining key configuration parameters related to process limits, concurrency, and rate delays. Documentation from Postfix.org highlights the importance of `default_process_limit`, `transport_destination_concurrency_limit` (or its transport-specific variants), and `destination_rate_delay` in managing connection behavior.

Key findings

Process Limit: `default_process_limit` controls the maximum number of concurrent Postfix processes.
Concurrency Limit: `transport_destination_concurrency_limit` restricts concurrent connections to a single destination.
Rate Delay: `destination_rate_delay` may be needed if the upgraded Postfix version is more aggressive.

Key considerations

Increase Process Limit: Consider increasing `default_process_limit` while monitoring resource usage.
Review Concurrency Limit: Assess if `transport_destination_concurrency_limit` is too restrictive.
Implement Rate Delay: If necessary, use `destination_rate_delay` to slow down connection attempts.

Technical article

Documentation from Postfix.org explains that the `default_process_limit` parameter controls the maximum number of concurrently running Postfix processes. Increasing this might help, but also check resource usage.

April 2024 - Postfix.org

Technical article

Documentation from Postfix.org explains the use of `destination_rate_delay` parameter. He shares that this might be needed if the upgraded Postfix version is more aggressive, causing the destination server to see too many connections.

November 2021 - Postfix.org

Technical article

Documentation from Postfix.org shares that the `transport_destination_concurrency_limit` (or specific transport like `smtp_destination_concurrency_limit`) limits the number of concurrent connections to a single destination. Review if this value is too restrictive.

July 2023 - Postfix.org

Webmin Update Causes php-fpm failure - General Discussion ...

Every time there is a webmin update, my system shits itself and all of my client php websites go offline. Its always the same bloody problem. My system runs multiple php versions (5.6,7.0,7.1,7.2,7.3,7.4) due to client needs. If i go into client virtual servers and change their php version to another, that version of php-fpm also shits itself immediately and stops functioning. In the end, not a single version of php-fpm works (they all shut down with error codes). I have complained about this...

Virtualmin Community

Postfix doesn't work since last update of certificate (08/2019) - Help ...

Hi, I use a containerized version of postfix via https://github.com/tomav/docker-mailserver . I don’t use their system to update the letsencrypt certificate , but I have caddyserver.com generating it for me. I just restart the email server with volume mounts pointing to the newly generated cert. The container use dovecot for imap, and it works great. But for postfix, it doesn’t. Here are the details. My domain is: mail.evereska.org I ran this command: openssl s_client -connect mail.everes...

Let's Encrypt Community Support

How can I change the retransmission time in Postfix?

How can I load balance incoming emails across multiple servers using MX records?

How can I hide my mail server IP address or mitigate attacks against it?

How do PowerMTA's retry-after, max-connect-rate, max-smtp-out, max-msg-per-connection, and max-msg-rate directives work?

Why am I seeing temporary server errors on 0365 for specific subnets?

What causes 'Server is not currently available, possibly due to too many connections' and how to fix it?