Symantec Mail Security for SMTP 5.0.1 - Best Practices for Solaris
|Article:TECH88909|||||Created: 2008-01-30|||||Updated: 2011-05-23|||||Article URL http://www.symantec.com/docs/TECH88909|
What are the best practices when installing Symantec Mail Security for SMTP 5.0.1 on a Solaris server?
Check the system requirements:
Permissions and pre-installation steps
Please check this KB article for detailed information about pre-installation steps:
Updates and Patches
Before installing Symantec Mail Security for SMTP 5.0.1, please make sure all recommended patches have been applied to the underlying Solaris OS:
After installing Symantec Mail Security for SMTP 5.0.1 , please make sure that the latest patch is applied:
NOTE: All Solaris parameters described over the sections below are not supported by Symantec, they have been technically evaluated however for best direction or support, please contact the vendor directly.
Hardening the Solaris OS
- Disable all unnecessary network services, daemons etc.
- Comment out all unneeded service entries in the /etc/inetd.conf file
- Turn off netstat, systat, tftp and finger services
- Turn off rshd, rlogind and rexecd daemons ; disable NFS if possible (rename or remove /etc/rc3.d/S15nfs.server)
- Kill and disable dtlogin (run /etc/init.d/dtlogin stop and rename or remove /etc/rc2.d/S99dtlogin)
Modify the following IP Stack parameters:
In the /etc/rc2.d/S69inet:
- ndd -set /dev/ip ip_forward_src_routed 0
- ndd -set /dev/ip ip_forward_directed_broadcasts 0
- ndd -set /dev/ip ip_respond_to_echo_broadcast 0
- ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0
- ndd -set /dev/ip ip_send_redirects 0
- ndd -set /dev/ip ip_ignore_redirect 1
When multiple network interfaces or multiport NIC's (qfe) are on the system, set the MAC addresses of different interfaces to different values using ifconfig. By default all four interfaces are assigned the same MAC address. Alternatively set the "local-mad-address?" variable in eeprom to true:
- eeprom 'local-mac-address?=true'
When using Sun GigaSwift (ce) Gigabit ethernet network interfaces, force the ce driver to use the 'traditional' STREAMS interface (as opposed to the GigSwift STREAMS interface). Yields significant improvement in throughput:
- ce:ce_put_cfg = 1
The disabling of auto-negotiation is done at the operating system level and a tool is needed. The following are thirdy party tools available:
When you disable auto-negotiation set the NIC to use Full Duplex and either 100 or 1000MBps accordingly to your switch configuration.
Another way to change auto-negotiation for some hme (also qfe) drivers is:
- ndd -set /dev/hme instance 0 (1,2,3 etc)
- ndd -set /dev/hme adv_autoneg_cap 0
- ndd -set /dev/hme adv_100fdx_cap 1
NOTE: Repeat the commands above for every instance of the NIC driver
Tuning the streams queues for High-Throughput
- set sq_max_size = 800
This is for a Solaris box with 2GB of RAM.
For each 256MB added you can increase by 100 increments.
Tuning the TCP highwater parameters for Maximal Throughput
- ndd -set /dev/tcp tcp_xmit_hiwat 65535
- ndd -set /dev/tcp tcp_recv_hiwat 65535
NOTE: The default value for both variables is 8192
Increasing TCP ports availability
- ndd -set /dev/tcp tcp_smallest_nonpriv_port 1024
- ndd -set /dev/tcp tcp_smallest_anon_port 1024
- ndd -set /dev/tcp tcp_largest_anon_port 65500
- ndd -set /dev/tcp tcp_time_wait_interval 30000
Tuning the TCP slow start and TCP queue sizes
- set tcp:tcp_conn_hash_size = 16384
Helps Solaris to locate TCP data kernel structures associated with TCP connections instead of searching the memory.
In the /etc/rc3.d/S69inet:
- ndd -set /dev/tcp tcp_slow_start_initial 2
- ndd -set /dev/tcp tcp_conn_req_max_q 1024
- ndd -set /dev/tcp tcp_conn_req_max_q0 4096
- ndd -set /dev/tcp tcp_time_wait_interval 30000
- ndd -set /dev/tcp tcp_fin_wait_2_flush_interval 67500
The default values for these settings are: 1, 128, 1024, 240000, 675000 respectively.
Tune the TCP selective acknowledgement (SACK) mechanism
If you are looking for better security over WAN links:
- ndd -set /dev/tcp tcp_sack_permitted 1
If you are looking for better logging performance over WAN links:
- ndd -set /dev/tcp tcp_sack_permitted 0
Increase the number of open file descriptors
- set rlim_fd_cur = 32768
- set rlim_fd_max = 65535
Change the FSFlush behavior
- set autoup = 300
- set tune_t_fsflushr = 5
These variables will control the amount of memory examined on dirty pages in each invocation and also the frequency of the file system sync operations.
The default is 30 seconds and usually this setting is recommended to be changed on systems with large amounts of memory thus reducing the amount of memory scanned on each invocation of fsflush.
General tuning parameters
- set maxpgio = 25468
Maxpgio (default 40 or 60) limits the rate at which I/O is queued to the swap devices. It is set to 40 for sunc4c, sun4m and sun4u architectures and 60 for sun4d. If the disks are faster than 7200 rpm, maxpgio
can safely be set to 100 times the number of swap disks.
- set slowscan = 500
Slowscan defines the minimum number of pages per second that the system looks at when attempting to reclaim memory. The default value is usually 1/2 of fastscan
- set maxusers = 2048
This should be set to the same as the available RAM on the server, in this case 2GB.
- set ncsize = 34906
The formula for this setting is: 17 x maxusers + 90
- set ufs_ninode = 34096
The formula for the least value is: 17 x maxusers + 90 (It is important to note that this setting must be at least the same as ncsize but the recommendation is to be higher)
Article URL http://www.symantec.com/docs/TECH88909