sync: auto-sync from GURU-5070 at 2026-06-16 09:02:24

Author: Mike Swanson
Machine: GURU-5070
Timestamp: 2026-06-16 09:02:24

.claude/memory/MEMORY.md

@@ -28,6 +28,7 @@
 - [Trebesch DESKTOP-QNP3ON5 shell replacement](reference_trebesch_qnp3on5.md) — AT Trebesch box runs an Explorer shell replacement; explorer.exe owner check returns blank — use Win32_ComputerSystem.UserName. GuruRMM SWIFT-LION-2892.
 - [reference_backblaze_storage_rate](reference_backblaze_storage_rate.md) -- ACG's Backblaze B2 storage cost rate ($0.00695/GB) for the GuruRMM mspbackups storage-cost calculation
 - [Unraid VM no-IP causes](unraid-windows-vm-virtio-no-ip.md) — PRIMARY (general "new VMs stopped getting IPs lately"): Docker sets bridge-nf-call-iptables=1, so br0 VM DHCP OFFERs hit DOCKER-FORWARD (no br0 ACCEPT) and get dropped; new VMs can't complete DORA (existing renew via ESTABLISHED). Fix `=0` runtime (needs persistent post-Docker hook; not yet persisted on Jupiter). SECONDARY (Windows VM): virtio-net has no in-box driver -> use e1000 or virtio-win. Diagnose: tcpdump DHCP on pfSense; /sys vnetN rx_packets.
+- [Starr Pass mail routing](reference_starrpass_mail_routing.md) — starrpass.com is DIRECT to MS (EOP/Defender, tenant 222450dd…); only devconllc.com is on Mailprotector (MP acct 16170). Check @starrpass.com quarantine/rejects via remediation-tool, not Mailprotector.
 - [AAD Connect msDS-KeyCredentialLink writeback](reference_aadconnect_keycredlink_writeback.md) — "completed-export-errors" + 8344 INSUFF_ACCESS_RIGHTS on a protected admin account = WHfB key writeback blocked by AdminSDHolder. Diagnose with csexport /f:x; fix with dsacls WP;msDS-KeyCredentialLink on AdminSDHolder + SDProp.
 - [reference_sqlx_migrations_immutable](reference_sqlx_migrations_immutable.md) -- NEVER edit an already-applied sqlx migration file — even a comment. sqlx::migrate! checksums each file at compile time and validates against _sqlx_migrations at startup; a changed checksum crash-loops the server with "migration N was previously applied but has been modified". Code review MUST flag any edit to an applied migration.
 

.claude/memory/reference_starrpass_mail_routing.md

@@ -0,0 +1,23 @@
+---
+name: reference_starrpass_mail_routing
+description: Starr Pass mail routing — starrpass.com is DIRECT to Microsoft (EOP/Defender), NOT Mailprotector; only devconllc.com is on Mailprotector. Check quarantine/rejects accordingly.
+metadata:
+  type: reference
+---
+
+**Starr Pass** email routing (don't reach for Mailprotector first):
+
+- **starrpass.com** delivers **direct to Microsoft** — M365 tenant `starrpass.com`
+  (tenant id `222450dd-141f-435f-87b8-cec719aac99e`). Quarantined / rejected / held / message-trace
+  questions for an @starrpass.com address = **EOP / Defender**, via the `remediation-tool`
+  (`investigator-exo` → EXO REST InvokeCommand: `Get-QuarantineMessage`, `Get-MessageTraceV2`,
+  `Get-MessageTraceDetailV2`). NOT on the Mailprotector/CloudFilter platform.
+- The Mailprotector **"Starr Pass" account (id 16170)** covers ONLY the domain **devconllc.com**
+  (Devcon LLC, their management company) — domain id `27629`. So a Mailprotector `find-user
+  cansley@starrpass.com` 404s and `starrpass.com` is absent from the MP domain list — that's expected,
+  not a fault.
+
+Practical: for any @starrpass.com mail-flow ask, go straight to the remediation-tool/EOP. Use
+Mailprotector only for devconllc.com. (Confirmed by Mike 2026-06-16 while checking quarantined/rejected
+mail for cansley@starrpass.com — the "rejected" mail was `550 5.1.10 RecipientNotFound` from before the
+mailbox was provisioned, now delivering.) Related: [[reference_resource_map]].