azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sync: auto-sync from GURU-5070 at 2026-05-26 15:58:46

Browse Source 
Author: Mike Swanson
Machine: GURU-5070
Timestamp: 2026-05-26 15:58:46
This commit is contained in:
Mike Swanson
2026-05-26 15:58:50 -07:00
parent 5bb2064716
commit c7e5dfc673
5 changed files with 1228 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

159
wiki/clients/quantumwms.md Normal file
View File

@@ -0,0 +1,159 @@
---
title: Quantum WMS
slug: quantumwms
type: client
project_key: clients/quantumwms
last_updated: 2026-05-26
---
# Quantum WMS
## Overview
| Field | Value |
|---|---|
| Company | Quantum WMS |
| Primary domain | quantumwms.com |
| Personal domain | sheilaperess.com |
| M365 tenant | `NETORGFT2570783.onmicrosoft.com` / `8f7eaff4-f913-4d3f-b8b9-92e695d987c6` |
| GoDaddy admin | `plan@johnvelez.com` (John Velez) — ACG has delegate access |
| Project key | `clients/quantumwms` |
## Contacts
| Name | Role | Notes |
|---|---|---|
| John Velez | Primary / M365 global admin | plan@johnvelez.com; GoDaddy account owner for both domains |
| Sheila Peress | Owner/principal | sheilaperess.com personal domain; compliance decision-maker; final say on license tier |
## Current Email Infrastructure
- **Registrar:** GoDaddy (quantumwms.com + sheilaperess.com) — ACG has delegate access
- **DNS:** GoDaddy DomainControl (NS03/NS04.DOMAINCONTROL.COM) — no DNSSEC
- **Mail routing:** Intermedia hosted Exchange — `exch090.serverdata.net` cluster (east/west)
- IP: `64.78.25.106` (Intermedia data center)
- Autodiscover: `ar-east.exch090.serverdata.net`
- This is Exchange Server software hosted by Intermedia, NOT Exchange Online
- **Intermedia setup:** Appears hybrid on-premises Exchange — carries full Exchange Server CVE exposure
### DNS / Email Security Gaps (CRITICAL)
| Record | Status | Impact |
|---|---|---|
| DMARC | **MISSING** | Anyone can spoof @quantumwms.com with no enforcement |
| SPF | **TWO RECORDS** (misconfiguration) | RFC 7208 allows only one; causes unpredictable SPF evaluation and deliverability failures |
| DKIM | Not found on standard selectors | Outbound mail not cryptographically signed |
| DNSSEC | Not signed | Domain hijack risk |
SPF records found (conflict):
1. `v=spf1 include:spf.intermedia.net -all`
2. `v=spf1 include:_spf-usg1.ppe-hosted.com include:secureserver.net ~all`
## M365 Tenant (GoDaddy/johnvelez.com)
- **Tenant created:** 2016-12-05 (GoDaddy-provisioned)
- **onmicrosoft domain:** `NETORGFT2570783.onmicrosoft.com`
- **quantumwms.com** is NOT a verified domain in this tenant — email runs entirely through Intermedia
- **Remediation app consent:** Tenant Admin tier consented by John (plan@johnvelez.com) 2026-05-26
### Users
| UPN | Display | Licenses | Notes |
|---|---|---|---|
| `plan@johnvelez.com` | John Velez | O365 Business Essentials + Flow Free | Active — no desktop Office apps |
| `admin@NETORGFT2570783.onmicrosoft.com` | johnvelez.com | None | GoDaddy admin account |
| `john__quantumwms.com@NETORGFT2570783.onmicrosoft.com` | john@quantumwms.com | None | Shell account, no mailbox, created 2026-03-16 |
| `migrationapp@NETORGFT2570783.onmicrosoft.com` | SkyKick Inc. | None | Old 2016 migration app account |
### Consent URL (Tenant Admin tier)
```
https://login.microsoftonline.com/8f7eaff4-f913-4d3f-b8b9-92e695d987c6/adminconsent?client_id=709e6eed-0711-4875-9c44-2d3518c47063&redirect_uri=https://azcomputerguru.com&prompt=consent
```
Post-consent onboard command:
```bash
bash onboard-tenant.sh 8f7eaff4-f913-4d3f-b8b9-92e695d987c6
```
## Compliance Context: Broker/Dealer Requirements
John and Sheila believe Intermedia is mandated by their Broker/Dealer. **This is almost certainly incorrect.**
### What SEC Rule 17a-4 / FINRA Rule 4511 actually require
- Electronic communication retention (3 years accessible, 6 years total for most records)
- Non-rewritable, non-erasable (WORM-compliant) archiving
- Supervisory review capability
- Ability to produce records on regulatory demand
### What they do NOT require
- Intermedia specifically
- Any named third-party vendor
- Exchange Server or hosted Exchange
### Microsoft 365 satisfies all FINRA/17a-4 requirements
Microsoft Purview (included in Business Premium) provides WORM-compliant archiving with a CFTC/SEC 17a-4 compliance attestation from Cohasset Associates. The majority of FINRA-registered broker/dealers run on Exchange Online. FINRA has published guidance explicitly endorsing cloud-based recordkeeping.
### Action item (BLOCKER)
Sheila has been asked to produce **written policy from the Broker/Dealer that explicitly names Intermedia** as the required platform. This policy is expected not to exist — the B/D policy will require compliant archiving, not a specific vendor. Resolution expected before meeting 2026-05-27 14:00.
## Recommended Architecture: M365 Business Premium + Mailprotector
### License Plan
| Account | License | Domain |
|---|---|---|
| John (firm) | M365 Business Premium | quantumwms.com |
| Sheila (firm) | M365 Business Premium | quantumwms.com |
| Sheila (personal) | Exchange Online Plan 1 | sheilaperess.com |
| Others TBD | Exchange Online Plan 1 | TBD |
### What Business Premium provides over Intermedia
| Capability | Intermedia Hosted Exchange | M365 Business Premium |
|---|---|---|
| Email | Exchange Server (hosted) | Exchange Online (Microsoft cloud) |
| Exchange CVE exposure | YES — full Server CVE surface | No — Microsoft patches same-day |
| Spam/malware filtering | Basic | Defender for Office 365 Plan 1 (Safe Links, Safe Attachments) |
| Frontend filtering | None | Mailprotector (ACG-managed) |
| MFA enforcement | Manual | Entra ID P1 — Conditional Access |
| FINRA archiving | Intermedia archiver (extra cost) | Microsoft Purview — included |
| Desktop Office apps | No | Yes (Word, Excel, Outlook, etc.) |
| Mobile device management | No | Intune — included |
| DMARC/DKIM setup | Not managed | ACG-managed during migration |
### Migration Steps
1. [DONE] Get consent from John (2026-05-26)
2. Obtain written B/D compliance policy from Sheila — confirm no Intermedia mandate
3. Add quantumwms.com as verified domain to johnvelez.com tenant
4. Purchase 2x Business Premium (direct or ACG CSP)
5. Create firm mailboxes (john@quantumwms.com, sheila@quantumwms.com)
6. Assign Business Premium licenses
7. Set up Mailprotector frontend for quantumwms.com
8. Configure DMARC, fix SPF (single record), configure DKIM
9. Cut MX from Intermedia → Exchange Online
10. Migrate existing mail from Intermedia → Exchange Online
11. Activate Office apps on their machines
12. Cancel Intermedia after cutover confirmed
13. Move DNS (quantumwms.com + sheilaperess.com) to Cloudflare
14. Purchase Exchange Online Plan 1 for personal domain accounts
15. Cancel GoDaddy email hosting per account as each migrates
### GoDaddy Decoupling Plan
- DNS: move both domains to Cloudflare (transfer locks must be removed in GoDaddy first)
- M365 licensing: swap GoDaddy-resold O365 Business Essentials → Business Premium
- Intermedia: cancel after mail cutover confirmed
## Open Items
- [ ] **BLOCKER:** Sheila to produce B/D written policy on email compliance requirements (due 2026-05-27 14:00)
- [ ] Sheila to confirm: sheilaperess.com Exchange Online Plan 1 only vs. Business Basic upgrade
- [ ] Determine additional personal domain accounts beyond sheilaperess.com
- [ ] DNS cutover timing for both domains
- [ ] Confirm whether SkyKick migration app account (2016) can be deleted