azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Session log: Dataforth GAGEtrak investigation, jlohr ntirety.com forwarding, DKIM rotation (2026-05-12)

Browse Source 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Mike Swanson
2026-05-12 11:01:16 -07:00
parent e2316bfbf4
commit b3fb51a052
2 changed files with 138 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

136
clients/dataforth/session-logs/2026-05-12-session.md Normal file
View File

@@ -0,0 +1,136 @@
# Session Log — Dataforth Corporation
**Date:** 2026-05-12
**Type:** Client work — GAGEtrak email investigation, jlohr forwarding setup, DKIM key rotation
**Ticket:** #32142 (internal ID 108919783) — "Remote - Error message from Gagetrak"
## User
- **User:** Mike Swanson (mike)
- **Machine:** DESKTOP-0O8A1RL
- **Role:** admin
---
## Session Summary
Investigated a GAGEtrak automated email delivery issue reported by Kevin Wackerly, who said he did not receive the expected Monday morning Calibration Due List email. The calibration@dataforth.com account was reviewed via Graph API and found fully healthy — sign-in allowed, SMTP AUTH enabled, password from the 2026-04-23 fix still in place. A search of Kevin's inbox confirmed the email WAS delivered, but on Tuesday (2026-05-12 at approx 8:34 AM MST) rather than Monday. The discrepancy was identified as a likely schedule drift in GAGEtrak on DF-GAGETRAK — Kevin was advised to verify the scheduled task on that machine.
DKIM configuration for dataforth.com was reviewed during the session. The EAC showed DKIM was already enabled. Selector2's TXT record had previously been NXDOMAIN, indicating the key had not been published by Microsoft. The client rotated the domain signing keys via EAC. Post-rotation DNS verification confirmed both selector1 and selector2 CNAMEs and TXT records are resolving correctly. M365 will automatically cut over signing from selector1 to selector2 on 2026-05-16.
A separate task involved setting up forwarding from jlohr@dataforth.com to mike@azcomputerguru.com for emails originating from ntirety.com. Joel Lohr is a retired Dataforth employee whose account is intentionally kept enabled to receive these emails. An inbox rule was created on the jlohr mailbox, but initial delivery attempts failed with 550 5.7.520 AS(7555) — the Dataforth tenant's default outbound spam policy blocks external auto-forwarding. A transport rule (BlindCopyTo) was attempted as an alternative but was blocked by an INKY PhishFence transport rule that fires at high priority with StopProcessingRules=true, killing all subsequent rules. The transport rule approach was abandoned. A scoped outbound spam filter policy (Allow-External-Forward-jlohr, AutoForwardingMode=On) was created targeting jlohr@dataforth.com specifically, then the inbox rule was re-created. Forward is configured and awaiting final delivery confirmation.
---
## Key Decisions
- **jlohr account retention confirmed:** Account kept enabled post-retirement at Mike's direction (2026-05-12) to receive ntirety.com email forwards. Active-directory.md updated to reflect this decision.
- **Scoped spam exception over tenant-wide:** Created a per-sender outbound spam policy (Allow-External-Forward-jlohr) rather than modifying the Default policy — limits blast radius to jlohr only. Changing AutoForwardingMode tenant-wide would expose all users to the same capability.
- **Inbox rule over transport rule:** Abandoned BlindCopyTo transport rule because INKY's stop-processing-rules action kills all downstream rules. Inbox rules execute post-delivery, outside the transport pipeline, and are not affected by INKY.
- **DKIM rotation accepted as-is:** selector2 TXT was NXDOMAIN before rotation. After client rotated keys, Microsoft published the new key for selector2. Both selectors now valid. No manual DNS changes required — CNAMEs were already in place.
- **GAGEtrak schedule not changed:** Confirmed email delivery is occurring, just on Tuesday not Monday. No changes made to GAGEtrak config — left for Kevin to investigate the schedule on DF-GAGETRAK.
---
## Problems Encountered
- **550 5.7.520 AS(7555) — external auto-forwarding blocked:** Dataforth tenant default outbound spam policy (AutoForwardingMode=Automatic) rejects all external auto-forwards including inbox rules. Resolved by creating a scoped outbound spam filter policy for jlohr@dataforth.com with AutoForwardingMode=On.
- **Transport rule BlindCopyTo silently failing:** INKY PhishFence transport rule "INKY - Post-Processing - Inbox" (ID B859327F-3FBD-4BE7-A47A-97D02F1558A7) fires first and calls StopProcessingRules=true, preventing our BCC rule from executing. Confirmed via Get-MessageTraceDetailV2 — detail showed INKY rule event followed immediately by delivery, with no custom rule event. Resolved by abandoning transport rule approach entirely and using inbox rule instead.
- **Inbox rule deleted mid-session:** During the transport rule investigation the inbox rule was removed. Re-created after the spam policy exception was confirmed.
- **Get-MessageTrace deprecated:** Get-MessageTrace returns validation error. Switched to Get-MessageTraceV2 throughout. Get-MessageTraceDetail likewise replaced by Get-MessageTraceDetailV2.
- **Graph API UPN lookup for calibration@ returned nulls:** Looked up by object ID (cdb246e8-a7f9-416b-a07c-e5b5cc50ec1d) sourced from Exchange ExternalDirectoryObjectId field instead.
- **Transport rule scope mismatch:** New-HostedOutboundSpamFilterRule does not accept SentTo (inbound concept). Corrected to From (sender) parameter — appropriate for outbound spam rules scoped to a specific sending account.
---
## M365 Configuration Changes
| Object | Type | Change |
|---|---|---|
| `Allow-External-Forward-jlohr` | HostedOutboundSpamFilterPolicy | Created — AutoForwardingMode=On |
| `Allow-External-Forward-jlohr-rule` | HostedOutboundSpamFilterRule | Created — From: jlohr@dataforth.com, Priority: 0 |
| `Forward ntirety.com to Mike Swanson` | Inbox Rule (jlohr mailbox) | Created — FromAddressContainsWords: ntirety.com, ForwardTo: mike@azcomputerguru.com |
| `Forward ntirety.com to jlohr -> Mike Swanson` | Transport Rule | Created (now defunct — blocked by INKY). Candidate for deletion. |
| dataforth.com DKIM | DkimSigningConfig | Keys rotated by client. KeyCreationTime: 2026-05-12T17:24:18Z. RotateOnDate: 2026-05-16T17:24:18Z. SelectorBeforeRotateOnDate: selector1 |
---
## Infrastructure Reference
| System | Detail |
|---|---|
| Dataforth M365 tenant | 7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584 / dataforth.com |
| ACG M365 tenant | ce61461e-81a0-4c84-bb4a-7b354a9a356d / azcomputerguru.com |
| DF-GAGETRAK | 192.168.0.102 — GAGEtrak calibration software host |
| calibration@dataforth.com object ID | cdb246e8-a7f9-416b-a07c-e5b5cc50ec1d |
| jlohr@dataforth.com | Joel Lohr — retired, account retained for ntirety.com forwarding |
| DKIM selector1 CNAME | selector1._domainkey.dataforth.com → selector1-dataforth-com._domainkey.dataforthcom.onmicrosoft.com |
| DKIM selector2 CNAME | selector2._domainkey.dataforth.com → selector2-dataforth-com._domainkey.dataforthcom.onmicrosoft.com |
| INKY PhishFence transport rule | "INKY - Post-Processing - Inbox", ID: B859327F-3FBD-4BE7-A47A-97D02F1558A7 — fires StopProcessingRules, blocks all subsequent transport rules |
| Syncro ticket | #32142 / internal ID 108919783 — "Remote - Error message from Gagetrak" |
---
## Credentials
- **calibration@dataforth.com password:** `lMRCN#o2uP3$cwuoKIx0` (set 2026-04-23, still active)
- **Remediation tool tiers used:** investigator (Graph read), exchange-op (Exchange write), user-manager (Graph user write)
- **Token cache:** `/tmp/remediation-tool/{tenant-id}/{tier}.jwt` (55-min TTL)
- **Vault files:**
- Security Investigator: `msp-tools/computerguru-security-investigator.sops.yaml`
- Exchange Operator: `msp-tools/computerguru-exchange-operator.sops.yaml`
- User Manager: `msp-tools/computerguru-user-manager.sops.yaml`
- **Syncro API key:** `T259810e5c9917386b-52c2aeea7cdb5ff41c6685a73cebbeb3`
- **Syncro API base:** `https://computerguru.syncromsp.com/api/v1`
- **Syncro comment endpoint:** `POST /api/v1/tickets/{id}/comment` (not `/comments`)
---
## Key API Calls
```bash
# DKIM signing config (works via InvokeCommand, NOT via direct adminapi path)
POST https://outlook.office365.com/adminapi/beta/{tenant}/InvokeCommand
{"CmdletName": "Get-DkimSigningConfig", "Parameters": {"Identity": "dataforth.com"}}
# Outbound spam policy (scoped to jlohr)
{"CmdletName": "New-HostedOutboundSpamFilterPolicy", "Parameters": {"Name": "Allow-External-Forward-jlohr", "AutoForwardingMode": "On"}}
{"CmdletName": "New-HostedOutboundSpamFilterRule", "Parameters": {"Name": "Allow-External-Forward-jlohr-rule", "HostedOutboundSpamFilterPolicy": "Allow-External-Forward-jlohr", "From": ["jlohr@dataforth.com"]}}
# Inbox rule on jlohr
{"CmdletName": "New-InboxRule", "Parameters": {"Mailbox": "jlohr@dataforth.com", "Name": "Forward ntirety.com to Mike Swanson", "FromAddressContainsWords": ["ntirety.com"], "ForwardTo": ["mike@azcomputerguru.com"], "StopProcessingRules": false}}
# Message trace (V2 required — V1 deprecated Sept 2025)
{"CmdletName": "Get-MessageTraceV2", "Parameters": {"RecipientAddress": "...", "StartDate": "...", "EndDate": "..."}}
{"CmdletName": "Get-MessageTraceDetailV2", "Parameters": {"MessageTraceId": "...", "RecipientAddress": "..."}}
```
---
## Files Created / Modified
| File | Action |
|---|---|
| `clients/dataforth/session-logs/2026-05-12-session.md` | Created — this file |
| `clients/dataforth/docs/active-directory.md` | Updated — jlohr row: noted account retention and ntirety forward; Action Items: strikethrough on disable-jlohr item |
---
## Pending / Follow-Up
- [ ] **[VERIFY]** Confirm jlohr inbox rule forward is delivering to mike@azcomputerguru.com — trigger one more ntirety.com test email
- [ ] **[CLEANUP]** Delete defunct transport rule "Forward ntirety.com to jlohr -> Mike Swanson" (blocked by INKY, serves no purpose)
- [ ] **[DATAFORTH ACTION]** Kevin Wackerly to verify GAGEtrak scheduled task on DF-GAGETRAK (192.168.0.102) — confirm whether run day is Monday or Tuesday
- [ ] **[AUTO 2026-05-16]** DKIM rotation to selector2 — automatic, no action required; verify selector2 is signing after that date if desired
- [ ] **[LONG-TERM]** Consider pushing Dataforth to Microsoft Authenticator from SMS MFA (noted from 2026-05-03 session, still pending Dan Center decision)
- [ ] **[LONG-TERM]** Confirm "Dime Client" app with Dan Center (noted from 2026-05-03 session)
---
## Syncro
| Field | Value |
|---|---|
| Ticket # | #32142 (internal 108919783) |
| Subject | Remote - Error message from Gagetrak |
| Customer | Dataforth Corp (id: 578095) |
| Status | Customer Reply (unchanged this session) |
| Comment added | ID 410543322, 2026-05-12 10:33 AM MST |