Symantec Mail Security for SMTP 5.0.1 - Best Practices for Solaris

Article:TECH88909  |  Created: 2008-01-30  |  Updated: 2011-05-23  |  Article URL http://www.symantec.com/docs/TECH88909
Article Type
Technical Solution

Subject

Issue



What are the best practices when installing Symantec Mail Security for SMTP 5.0.1 on a Solaris server?


Solution



OS installation

Check the system requirements:
http://www.symantec.com/docs/TECH84520

Permissions and pre-installation steps

Please check this KB article for detailed information about pre-installation steps:
http://www.symantec.com/docs/TECH84757

Updates and Patches

Before installing Symantec Mail Security for SMTP 5.0.1, please make sure all recommended patches have been applied to the underlying Solaris OS:
http://sunsolve.sun.com

After installing Symantec Mail Security for SMTP 5.0.1 , please make sure that the latest patch is applied:
http://www.symantec.com/business/support/downloads.jsp?pid=51985


NOTE: All Solaris parameters described over the sections below are not supported by Symantec, they have been technically evaluated however for best direction or support, please contact the vendor directly.




Hardening the Solaris OS

  • Disable all unnecessary network services, daemons etc.
  • Comment out all unneeded service entries in the /etc/inetd.conf file
  • Turn off netstat, systat, tftp and finger services
  • Turn off rshd, rlogind and rexecd daemons ; disable NFS if possible (rename or remove /etc/rc3.d/S15nfs.server)
  • Kill and disable dtlogin (run /etc/init.d/dtlogin stop and rename or remove /etc/rc2.d/S99dtlogin)


Modify the following IP Stack parameters:

In the /etc/rc2.d/S69inet:

  • ndd -set /dev/ip ip_forward_src_routed 0
  • ndd -set /dev/ip ip_forward_directed_broadcasts 0
  • ndd -set /dev/ip ip_respond_to_echo_broadcast 0
  • ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0
  • ndd -set /dev/ip ip_send_redirects 0
  • ndd -set /dev/ip ip_ignore_redirect 1


When multiple network interfaces or multiport NIC's (qfe) are on the system, set the MAC addresses of different interfaces to different values using ifconfig. By default all four interfaces are assigned the same MAC address. Alternatively set the "local-mad-address?" variable in eeprom to true:

  • eeprom 'local-mac-address?=true'


When using Sun GigaSwift (ce) Gigabit ethernet network interfaces, force the ce driver to use the 'traditional' STREAMS interface (as opposed to the GigSwift STREAMS interface). Yields significant improvement in throughput:

In /etc/system:

  • ce:ce_put_cfg = 1


Auto-Negotiation

The disabling of auto-negotiation is done at the operating system level and a tool is needed. The following are thirdy party tools available:

  • mii-tool

http://docs.sun.com/source/817-5051/pt_tuningos.html

When you disable auto-negotiation set the NIC to use Full Duplex and either 100 or 1000MBps accordingly to your switch configuration.

Another way to change auto-negotiation for some hme (also qfe) drivers is:

  • ndd -set /dev/hme instance 0 (1,2,3 etc)
  • ndd -set /dev/hme adv_autoneg_cap 0
  • ndd -set /dev/hme adv_100fdx_cap 1

NOTE: Repeat the commands above for every instance of the NIC driver

Tuning the streams queues for High-Throughput
In /etc/system:

  • set sq_max_size = 800

This is for a Solaris box with 2GB of RAM.
For each 256MB added you can increase by 100 increments.

Tuning the TCP highwater parameters for Maximal Throughput

  • ndd -set /dev/tcp tcp_xmit_hiwat 65535
  • ndd -set /dev/tcp tcp_recv_hiwat 65535


NOTE: The default value for both variables is 8192

Increasing TCP ports availability

  • ndd -set /dev/tcp tcp_smallest_nonpriv_port 1024
  • ndd -set /dev/tcp tcp_smallest_anon_port 1024
  • ndd -set /dev/tcp tcp_largest_anon_port 65500
  • ndd -set /dev/tcp tcp_time_wait_interval 30000


Tuning the TCP slow start and TCP queue sizes

In /etc/system:

  • set tcp:tcp_conn_hash_size = 16384

Helps Solaris to locate TCP data kernel structures associated with TCP connections instead of searching the memory.

In the /etc/rc3.d/S69inet:

  • ndd -set /dev/tcp tcp_slow_start_initial 2
  • ndd -set /dev/tcp tcp_conn_req_max_q 1024
  • ndd -set /dev/tcp tcp_conn_req_max_q0 4096
  • ndd -set /dev/tcp tcp_time_wait_interval 30000
  • ndd -set /dev/tcp tcp_fin_wait_2_flush_interval 67500


The default values for these settings are: 1, 128, 1024, 240000, 675000 respectively.

Tune the TCP selective acknowledgement (SACK) mechanism
In /etc/rc2.d/S69inet:

If you are looking for better security over WAN links:

  • ndd -set /dev/tcp tcp_sack_permitted 1


If you are looking for better logging performance over WAN links:

  • ndd -set /dev/tcp tcp_sack_permitted 0


Increase the number of open file descriptors
In /etc/system:

  • set rlim_fd_cur = 32768
  • set rlim_fd_max = 65535


Change the FSFlush behavior
In /etc/system:

  • set autoup = 300
  • set tune_t_fsflushr = 5


These variables will control the amount of memory examined on dirty pages in each invocation and also the frequency of the file system sync operations.
The default is 30 seconds and usually this setting is recommended to be changed on systems with large amounts of memory thus reducing the amount of memory scanned on each invocation of fsflush.

General tuning parameters
In /etc/system:

  • set maxpgio = 25468

Maxpgio (default 40 or 60) limits the rate at which I/O is queued to the swap devices. It is set to 40 for sunc4c, sun4m and sun4u architectures and 60 for sun4d. If the disks are faster than 7200 rpm, maxpgio
can safely be set to 100 times the number of swap disks.

  • set slowscan = 500

Slowscan defines the minimum number of pages per second that the system looks at when attempting to reclaim memory. The default value is usually 1/2 of fastscan

  • set maxusers = 2048

This should be set to the same as the available RAM on the server, in this case 2GB.

  • set ncsize = 34906

The formula for this setting is: 17 x maxusers + 90

  • set ufs_ninode = 34096

The formula for the least value is: 17 x maxusers + 90 (It is important to note that this setting must be at least the same as ncsize but the recommendation is to be higher)
 



Legacy ID



2008013009293754


Article URL http://www.symantec.com/docs/TECH88909


Terms of use for this information are found in Legal Notices