Symantec Messaging Gateway (SMG) - Best Practices: Performance
|Article:TECH89920|||||Created: 2008-01-16|||||Updated: 2012-01-30|||||Article URL http://www.symantec.com/docs/TECH89920|
The following document is a checklist to help get the most out of your Symantec Messaging Gateway (SMG) deployment in terms of performance.
The following sections should provide suggestions and changes that will help a SMG appliance administrator to improve the overall product performance and stability.
Reducing the amount of spam messages the product processes will increase the resources available for valid messages.
For more information on how to better reduce the amount of spam entering your network check the following KB article:
Policy Groups and Content Filtering policies
The number and complexity of Policy Groups and Content Filtering policies are among the variables to consider when a performance optimization is required. Given the number of variables in to play, there is not a fixed optimum number of policies that can be provided as a guideline. The administrator should tune the settings and asses the impact Content Filtering has on performance by testing different configurations. As a general rule, try to reduce the total number of policies whenever is possible.
An accuracy of less than 1 in a million false positives makes SMG appliances the gold standard of antispam solutions.
Spam could represent more than 90% of the total volume of messages you receive.
The time lost deleting spam costs the most in lost productivity according to several studies, therefore we strongly suggest to set the antispam policies to delete spam automatically.
Spam attacks will try to open as many connections as possible so Symantec recommends to:
Version 8.x or newer:
- enable the "connection classification" feature. To make this change Navigate to Reputation > Connection Classification. Enable the checkbox if disabled.
Check the topic on the administrator's guide for complete information about this feature.
Version 7.7.x and older:
- lower the maximum number of connections "PER IP" to a value like 2 or maybe 3.
This will not affect legitimate traffic. Reverse lookups are also recommended to be disabled.
To make these changes:
- Login to the Control Center.
- Navigate to Administration > Configuration. Click the host to change.
- Navigate to SMTP > Advanced Settings.
- Under "Inbound SMTP Configuration" change the "Maximum number of connections from a single IP address" to 2.
- Under "Inbound SMTP Configuration" and "Outbound SMTP Configuration" uncheck the box next to "Enable reverse DNS lookup."
- Click Continue.
- Click Save.
Use sender authentication technologies
Sender ID and SPF (Sender Protection Framework) are here to help however if you want to enable those technologies, make sure you don't apply for "All domains" and add only the domains that you know have a proper Sender ID/SPF DNS record in place.
To find domains with proper SPF records you can use the following website:
To use nslookup to find if a specific domain has the proper SPF record in place:
- Open a command prompt
- Type nslookup -querytype=TXT domain.com
A proper response will return something like:
domain.com text = "v=spf1 ip4:192.168.1.1 ip4:192.168.2.1 -all"
The important part of it is the -all if the domain does not have the -all it means it is not properly set.
Instead of deleting invalid SPF messages you can start tagging the subject lines first then change the action once you are confident about the technology.
Quarantine management and Suspected Spam
Sending spam to quarantine introduces cost in lost productivity and greatly increases the storage and resource requirements.
If you are comfortable with the amount of false positives messages, you can set spam to be deleted and use quarantine for suspected spam only.
Because the data storage requirements for some reports can be high, choose an appropriate length of time to store report data.
The following extended statistics will consume a large amount of disk space so only enable it if necessary and If enabled, make sure you do not keep those statistics for too long:
- Sender domains
- Sender HELO domains
- Sender IP connections
- Recipient domains
Normal reports data are kept for 7 days by default.
The product comes configured with low verbosity logging level by default (i.e. Warnings).
Higher logging levels should be used only while troubleshooting and in cases where you need to have more details about a certain process or component (i.e Mail Transfer Agent).
Quarantine, logs and report information is stored into the database that runs on the Control Center.
You may want to reduce the information you keep in the database as much as you can in order to benefit from performance reduction by avoiding a high number of writes and reads to the database, disk space as well as CPU utilization.
The purpose of the expunger is to reduce the size of the data. There are separate controls for the expunger to operate on the quarantine, logs and reports data.
The expunger will delete information beyond the threshold settings. The quarantine and report expungers will temporary cease the communication for new reports and quarantined messages so keep in mind that if you use quarantine for suspected spam and set the expunger to run every 4 hours, every 4 hours the quarantine SMTP listener will be down while the expunger runs so we do not recommend setting these two expungers to a value lower than 1 day. The default settings are usually the recommended ones to use.
The general guidelines for the quarantine expunger are:
- Global and per user quarantine limits how no impact whatsoever on insertion throughput.
- These limits may be exceeded temporarily until the next expunger cycle enforces them.
- Date-base expunging is the fastest option.
- Global thresholds are slower but can give more precise control over disk space and message count. The latter being important for quarantine search query performance.
- Per-user thresholds can be very expensive to enforce, and are not recommended for larger deployments such as more than 5.000 users.
It is recommended to have these processes configured to run during least load hours, usually the first hours of a day.
The default expunger times for our components are:
- Quarantine Expunger 1 A.M.
- Log Expunger 2 A.M.
- Report Expunger 3 A.M.
SMG Virtual Edition (SMG VE)
When deploying SMG VE, some aspects unique to virtual appliances must be considered. Check the following article for information:
For more information about these topics, please consult the Administrator's Guide:
Article URL http://www.symantec.com/docs/TECH89920