search cancel

Best practices for LDAP scalability with Symantec Brightmail Gateway


Article ID: 179731


Updated On:


Messaging Gateway




If using the directory data service in a large or distributed environment, consider the following best practices to improve system performance and scalability:


·         Use directory data service caching functionality to improve throughput and reduce the load on your directory servers.

Set the cache size based on the system's needs and memory availability. Symantec recommends that this value is set to equal to or greater than the number of users and groups in the environment. This number should include distribution lists, contacts, public folders, and any other LDAP entry that lists a deliverable email address or a username.

See Configuring data source advanced settings.

See Editing advanced settings for a data source.


·         Use alert settings to manage the processes and cache.

The Monitor swap space utilization alert triggers when swapping exceeds the specified utilization. Use the swap alert to make sure that the systems have adequate RAM for all Symantec Brightmail Gateway processes, including the directory data service cache.

The default value to trigger this alert is 50% and can be modified as needed. For high performance deployments that are adequately provisioned with memory, there should be little or no swap space utilization. Symantec recommends setting the swap space alert threshold to only a few percent for such deployments

The Undersized data source cache alert will indicate immediately when it is necessary to increase the cache size to support the data.

See Types of alerts.


·         Use the Symantec Brightmail Gateway directory cache preloader to complete the cache building process before directing the production mailflow to the system.

For most deployments, caches can be built gradually through normal system activity with adequate system performance and preloading the cache is not necessary. For some deployments with very large directories or slow LDAP connections, however, the preloader can be used to avoid temporary performance problems that may occur while a very large cache is built.

Perform this task offline (for example, during a maintenance window) as the preloaded caches are not available to your Scanners until the process is complete.

See About preloading your directory data cache.


·         Use the Minimum TTL (Time to Live) and Maximum TTL settings on the Advanced Settings page to find the right balance of cache refresh frequency versus data freshness.

Adequate spread smooths out the load on the LDAP servers by randomizing the expiration of cache entries. Refreshes that occur too frequently can increase processing time, but failing to refresh often enough results in stale data. Work with the directory administrator to determine the right refresh rate for the system.

See About the directory data cache.

See Configuring data source advanced settings.

See Editing advanced settings for a data source.


·         Improve Symantec Brightmail Gateway system performance by turning off distribution list expansion.

Disabling Distribution list expansion can significantly increase mail delivery throughput. If Distribution list expansion is disabled, however, distribution lists are not resolved into their individual members for policy evaluation.

This means that mail sent to a distribution list is subject only to the policies associated with the distribution list itself (either through an email address or a distinguished name). The policies associated with its individual members are not applied, even if they have higher precedence.

See Enabling distribution list expansion for your data sources.


·         Limit the number and size of LDAP groups and distribution lists associated with policy groups.

If a data source cache is cleared or a configuration change is made to the policy groups or a directory data source, the Symantec Brightmail Gateway must reload group information from the directory. This can result in the growth of inbound or outbound message queues.

For most deployments this process takes only a few seconds and results in an insignificant queue backup if any at all. However, in cases where LDAP access is slow, or the policy groups references many thousands of LDAP users, a noticeable backup can occur. For best performance, Symantec recommends to use the default group to implement the most common behavior and then assign specific policies to smaller groups as necessary.

See Creating a policy group.


·         To improve performance for queries, restrict the Base DN for your LDAP queries to cover only the data that is needed for the data source.

The larger the scope of the query, the longer the searches take. Poor query performance for quarantine address resolution can lead to a backup in delivery queues. Poor query performance for address resolution can cause inbound or outbound queues to back up.

See About data source queries.

If the data source uses the Active Directory Global Catalog, be sure to configure the directory data service to use the global catalog port (default 3268) instead of the domain controller port (default 389).

See Adding a data source.


·         Create read-only copies of firewalled LDAP servers and place them outside of the firewall to improve connection time.

In an environment where Scanners hosts are located outside the firewall and LDAP servers reside inside the firewall, it is possible to speed up connection and query times by setting up replicas of those LDAP servers outside the firewall and near the Scanners in the network.

Figure: Mail configuration example for a firewalled server provides an example of a firewalled server configuration and how it might be possible to use an LDAP server replica to improve processing time.

The directory administrator can determine the best path for this action based on the system configuration.



Figure: The following shows a mail configuration example for a firewalled server

Mail configuration example for a firewalled server