Symantec Mail Security for SMTP 5.0.1 - Best Practices for Linux Installations

Article:TECH88842  |  Created: 2008-01-16  |  Updated: 2011-03-01  |  Article URL http://www.symantec.com/docs/TECH88842
Article Type
Technical Solution

Environment

Issue



Best Practices for Linux Installations when installing Symantec Mail Security for SMTP 5.0.1  


Environment



Red Hat Linux 3.0 es or higher


Solution




OS installation

Check the system requirements:
http://service1.symantec.com/support/ent-gate.nsf/docid/2006052314455363

It is recommended that during the installation process you choose "Minimal install" and after it is completed then install the following packages:

  • compat-libstdc++
  • rpm-build


Permissions and pre-installation steps

Please check this KB article for detailed information about pre-installation steps:
http://service1.symantec.com/support/ent-gate.nsf/docid/2006081614370363

Updates and Patches

After installing Symantec Mail Security for SMTP 5.0.1 , please make sure that the latest patch is applied:
http://www.symantec.com/business/support/downloads.jsp?pid=51985


NOTE: All Redhat Linux parameters described over the sections below are not supported by Symantec, they have been technically evaluated however for best direction or support, please contact the vendor directly.





Network Optimization

Auto-Negotiation

It is recommended to disable auto-negotiation on the network interfaces and set the appropriate speed/duplex.
You can use ethtool or mii-tool to set this depending on the network interface that you are using however the change will not persist a reboot.

To set the speed/duplex permanently you have to edit the ifcfg-ethX scripts, usually located under /etc/sysconfig/network-scripts.

For 100Mbps, append this line:
ETHTOOL_OPTS="speed 100 duplex full autoneg off"

For 1000Mbps, append this line:
ETHTOOL_OPTS="speed 1000 duplex full autoneg off"
If the line shown above fails to negotiate, then you can use: ETHTOOL_OPTS="speed 1000 duplex full autoneg on"

For best network performance, you can append the following lines to your /etc/sysctl.conf file:

# APPEND STARTS HERE
# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1

# Controls TCP timing and port availability.
net.ipv4.tcp_keepalive_time = 1800
net.ipv4.ip_local_port_range = 1024 65000
net.ipv4.tcp_fin_timeout = 30

# Kernel Receiver Backlog (Default is 300)
net.core.netdev_max_backlog = 2000

# Increase TCP max buffer size setable using setsockopt()
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216

# Increase Linux auto-tuning TCP buffer limits
# min, default, and max number of bytes to use
# set max to at least 4MB, or higher if you use very high BDP paths
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216

# recommended to increase this for 1000 BT or higher
net.core.netdev_max_backlog = 3000
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 1800
net.ipv4.tcp_synack_retries = 3

# Network Security Parameters
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.secure_redirects = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.lo.send_redirects = 0
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.lo.secure_redirects = 1
net.ipv4.conf.lo.accept_redirects = 0
# APPEND ENDS HERE

Turn off TCP offloading by using ethtool:
# ethtool -K IFACE tso off

NOTE: Run the command for each interface being used. Example, ethtool -K eth0 tso off.

File Descriptors

If your system has the recommended memory (2GB), append to your /etc/sysctl.conf file the line:
fs.file-max = 131072

NOTE: If you have more than 2GB of RAM, you can add increments of 65536 per GB. Example, if you have 4GB of RAM you can add: fs.file-max = 262144

After making all these changes to the /etc/sysctl.conf make sure you run:
# sysctl -p /etc/sysctl.conf

Append to your /etc/security/limits.conf file the lines:

* soft nofile 8192
* hard nofile (same number used on the fs.file-max)

NOTE: After applying all changes a reboot is recommended.



Legacy ID



2008011614301354


Article URL http://www.symantec.com/docs/TECH88842


Terms of use for this information are found in Legal Notices