SMTP

SMTP Error 454

SMTP 454 is a temporary failure — usually auth throttling or TLS issues (454 4.7.0) or relay access denied (454 4.7.1). Learn what triggers it and how to fix it.

Updated Jul 1, 2026

The short answer

SMTP 454 is a transient negative reply (RFC 5321 4yz: the command was refused but the condition is temporary, so retry later). It most often means a temporary authentication failure — "454 4.7.0" (Google "too many login attempts", Exchange Kerberos/SPN/clock issues, SES rate throttling, or TLS not available) — or "454 4.7.1 Relay access denied" when the server requires authentication before accepting the recipient. Fix it by backing off and retrying, fixing credentials/App Password, or resolving TLS.

SMTP reply code 454 is a transient negative completion reply. Per RFC 5321 §4.2.1, any 4yz code means: "The command was not accepted, but the error condition is temporary. The sender SHOULD retry the command later." That single fact reframes most 454 troubleshooting — unlike a permanent 5yz rejection, a well-behaved client should back off and retry rather than treat it as a hard failure.

What causes SMTP Error 454?

454 is overwhelmingly used for two temporary conditions:

1. Temporary authentication failure — 454 4.7.0. The server accepted your AUTH attempt format but couldn't complete authentication right now. Real-world triggers:

  • Rate-limited logins. Google returns 454 4.7.0 Too many login attempts, please try again later when an account exceeds its concurrent-connection or login-frequency limits (often repeated bad passwords or too many tools polling the same mailbox). See the Gmail/Workspace community.
  • Sending throttle. Amazon SES replies 454 Throttling failure: Maximum sending rate exceeded after DATA when you exceed your account's max send rate. SES also returns a distinct 454 Throttling failure: Daily message quota exceeded when you hit your 24-hour sending limit — that needs a different fix (wait for the daily reset or request a quota increase) than the per-second rate-limit case.
  • Server-side auth infrastructure. On Exchange, 454 4.7.0 Temporary authentication failure is logged with Event ID 1035 and is typically caused by clock skew (>5 min), Active Directory replication lag, missing/duplicate SPNs, or Kerberos ports blocked by a firewall — not by your client credentials at all (Microsoft Learn).
  • TLS not available. Defined by the STARTTLS extension (RFC 3207): the bare reply 454 TLS not available due to temporary reason (e.g., a temporarily unavailable or invalid certificate). RFC 3207 itself doesn't attach an enhanced status code to this reply, but real-world servers (Postfix, Gmail) commonly pair it with 4.7.0, consistent with the auth-failure code above.

2. Relay/auth denial — 454 4.7.1. Per the enhanced-status-code registry (RFC 3463), X.7.1 means "Delivery not authorized, message refused." In practice this shows up as 454 4.7.1 Relay access denied when the server requires authentication before it will accept the recipient — a distinct condition from the TLS case above, not the same code reused for a different meaning.

Related implementation-specific messages seen in the wild (not RFC 3207 text itself): 454 4.5.0 ... no commands allowed to pipeline after STARTTLS (Postfix/Sendmail enforcing the STARTTLS pipelining restriction from RFC 2920) and 454 5.5.1 STARTTLS may not be repeated (note: this one pairs a transient 4yz base reply with a permanent 5.x.x enhanced code — a known implementation quirk, not a spec-defined combination).

How do I fix SMTP Error 454?

Match the fix to the enhanced status code in the response (454 4.7.0 vs 454 4.7.1):

  1. Retry with backoff first. Because 454 is transient, wait and retry before changing anything. For SES throttling, AWS's documented schedule is progressively longer waits — 5 seconds, then 10 seconds, then 30 seconds — and if the third retry still fails, wait 20 minutes before repeating the cycle. For Google "too many login attempts," pause, reduce the number of tools connected to the mailbox, and stay within the concurrent-connection limit.
  2. Verify credentials — the right way. If logins are being rejected, confirm the username/password. For Gmail, do not look for "Less Secure Apps" — Google removed it for personal Gmail accounts in 2022. Google Workspace accounts kept it longer, losing it in stages through 2024 (fully enforced by September 30, 2024). Use an App Password (requires 2-Step Verification) or OAuth2.
  3. Fix TLS for 454 4.7.0 TLS-unavailable replies. Ensure the server's certificate is valid and current, connect on a TLS-capable port, and issue STARTTLS only once. Both port 587 (STARTTLS) and port 465 (implicit TLS) are valid per RFC 8314 — neither is deprecated.
  4. Fix relay denial for 454 4.7.1. Authenticate before sending, or confirm your IP/account is authorized to relay through that server.
  5. Server operators (Exchange 454 4.7.0): sync clocks to within 5 minutes, force AD replication, verify/deduplicate the SMTP/SMTPSVC SPNs with SetSPN, open Kerberos ports, and confirm Exchange Authentication is enabled on the receive connector.
  6. If you're sending through Courier, the provider (SES, SendGrid, a custom SMTP server, etc.) surfaces the 454; check that provider's dashboard for rate limits or auth/credential warnings rather than assuming a client bug.

Treat 454 as "try again," not "give up." Implementing exponential-backoff retry logic resolves the majority of these — the underlying condition is temporary by definition.

FAQ

Common questions

No. 454 is a 4yz transient negative reply (RFC 5321 §4.2.1): the command was refused but the condition is temporary, and the sender SHOULD retry later. This is the opposite of a 5yz permanent failure, where retrying won't help.

One API, every provider

Stop debugging raw provider errors

Courier connects to your email, SMS, and push providers, handles retries and failover, and surfaces delivery errors in plain language.

Reply-code definitions per RFC 5321 §4.2.1; RFC 3207; RFC 3463. Last reviewed Jul 1, 2026. Courier is not affiliated with third-party providers; error behavior may vary by implementation.