Linux mail gateway

I’ve run where I work for 4 years a Mandrake based firewall with Postfix and Mailscanner. I really, really liked mailscanner, but for my colleagues the setup was “too complicated”. So I moved to EFW, Endian Firewall comunity edition. What it brings in ease of use it lacks in flexibility.

Finally my prayers where listen, and I’m going to move again to a custom build full fledged mail gateway with Mailscanner. Check out: this howto.

Windows 2003 slow network application performance

I was bitten very hard for something that is quite hidden and took a while to figure it out.

Moved an application from Windows 2002 to Windows 2003, and in the moving process, services that where on the same machine moved to different machines, which in turn means that they would use the LAN to communicate between them instead of the loopback adapter.

Well just imagine an application running on top of the line servers (8 CPU’s, 10GB RAM) running slower than a six year old server…

The main clue that something was blocking the performance was that there was no CPU load. So the application was not processing anything, just waiting…

Or friendly tool http://www.wireshark.org/ started to bring some light on the issue. It seems that most of the times between packets namely the between the PSH/ACK and the answer took around 200ms. Again processing the application log files show a lot of processing time under 10ms and a “bump” around the 200ms mark.

To make a long story short… Despite of most of Windows server deployments being made on high speed networks on enterprise LAN segments, Windows 2003 has by default an TCP/IP algorithm called nagle active so it can save bandwidth on slow WAN links!!!!!

What does it mean? It means that Windows will reply right away with an ACK packet if it has data to transmit back, so it piggybacks the ACK with the data saving packets. If it has no data it times-out after 200ms and then sends the lone ACK packet… Meanwhile the 1/4s as passed by. Small number theory says that a lot of small numbers added up give on big number, hence seconds of pure slowness.

For all your LAN throughput can be used by your applications you need to switch off the 200ms delay:

Here’s how: http://support.microsoft.com/?scid=kb%3Ben-us%3B328890&x=11&y=13

After the above documented change, well the application just caught fire and ran like a rocket.

Update: Also check: http://support.microsoft.com/kb/898468

Update2: Also check: http://support.microsoft.com/kb/948496 -> This will disable some “features”…

Running Jboss on port 80 on Linux

Some customers have network policies for traffic shaping that severely restrict network performance on the default port 8080 used by Jboss. This is because most internet access use proxy’s on that port.

So to avoid internal JBoss servers to be hit by traffic shaping, moving JBoss to port 80 or other is the solution.

Editing the server.xml file and changing the default 8080 port to 80 for example is easy, but on Linux brings an additional problem: ports below 1024 are privileged which means that JBoss must run as the user root… a big no no…

So how do you keep Jboss running as a non privileged user and bound to port 80?

Well after a bit of research on our friend Google it’s quite easy:

Normally I use the boot script located here: Jboss Boot Script .

Before the line su -l jboss -c .. which starts Jboss running under the user jboss, just put the following line:

iptables -t nat -A PREROUTING -p tcp –dport 80 -j REDIRECT –to-port 8080

(EDIT: Please note that it’s dash dash (- -) before the dport and to-port parameter, and  not a single dash (-) ).

This will just redirect any external requests on port 80 to port 8080, and all of this with jboss running securely on it’s own user… It also can be done for port HTTPS 443 so it maps to 8443.

Easy, simple and no messing around on server.xml.

On Windows, I think your out of luck, but hey, anyone can bind to port 80…