azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sync: auto-sync from GURU-5070 at 2026-05-26 15:58:46

Browse Source 
Author: Mike Swanson
Machine: GURU-5070
Timestamp: 2026-05-26 15:58:46
This commit is contained in:
Mike Swanson
2026-05-26 15:58:50 -07:00
parent 5bb2064716
commit c7e5dfc673
5 changed files with 1228 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

759
clients/quantumwms/reports/2026-05-26-email-infrastructure-assessment.html Normal file
View File

@@ -0,0 +1,759 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Email Infrastructure Assessment — Quantum WMS</title>
<style>
@import url('https://fonts.googleapis.com/css2?family=Jost:ital,wght@0,300;0,400;0,500;0,600;0,700;0,800;1,400&display=swap');
:root {
--navy: oklch(27% 0.078 252);
--navy-mid: oklch(38% 0.072 252);
--navy-muted: oklch(54% 0.055 252);
--amber: oklch(66% 0.175 60);
--amber-deep: oklch(50% 0.16 52);
--amber-text: oklch(40% 0.14 50);
--surface: oklch(99.5% 0.004 248);
--bg: oklch(97% 0.009 248);
--border: oklch(91% 0.011 248);
--border-mid: oklch(85% 0.015 248);
--text: oklch(22% 0.018 248);
--text-mid: oklch(42% 0.014 248);
--text-muted: oklch(60% 0.010 248);
--danger-bg: oklch(97.5% 0.016 22);
--danger-border: oklch(78% 0.12 22);
--danger-text: oklch(38% 0.19 22);
--danger-heading: oklch(32% 0.18 22);
--success-bg: oklch(97.5% 0.013 155);
--success-border: oklch(76% 0.11 155);
--success-text: oklch(34% 0.15 155);
--info-bg: oklch(97.5% 0.013 252);
--info-border: oklch(80% 0.09 252);
--info-text: oklch(32% 0.12 252);
}
*, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }
html { -webkit-font-smoothing: antialiased; }
body {
font-family: 'Jost', system-ui, sans-serif;
font-size: 15px;
line-height: 1.75;
color: var(--text);
background: var(--bg);
}
/* PAGE */
.page {
max-width: 860px;
margin: 48px auto;
background: var(--surface);
box-shadow: 0 2px 40px oklch(22% 0.06 252 / 0.11);
}
/* AMBER CAP */
.amber-cap { height: 4px; background: var(--amber); }
/* HEADER */
.header {
background: var(--navy);
padding: 48px 56px 40px;
}
.header .firm-name {
font-size: 10.5px;
font-weight: 700;
letter-spacing: 2.5px;
text-transform: uppercase;
color: var(--amber);
margin-bottom: 22px;
}
.header h1 {
font-size: clamp(22px, 3.2vw, 33px);
font-weight: 800;
line-height: 1.12;
letter-spacing: -0.5px;
color: oklch(99% 0.003 248);
margin-bottom: 10px;
}
.header .confidential {
font-size: 12px;
color: oklch(68% 0.04 248);
font-weight: 400;
}
.meta-strip {
display: flex;
gap: 0;
margin-top: 34px;
padding-top: 28px;
border-top: 1px solid oklch(100% 0 0 / 0.09);
}
.meta-cell {
padding-right: 36px;
}
.meta-cell:not(:last-child) {
border-right: 1px solid oklch(100% 0 0 / 0.09);
margin-right: 36px;
}
.meta-cell .meta-label {
font-size: 10px;
font-weight: 700;
letter-spacing: 1.5px;
text-transform: uppercase;
color: oklch(60% 0.045 248);
margin-bottom: 3px;
}
.meta-cell .meta-value {
font-size: 13px;
font-weight: 500;
color: oklch(93% 0.005 248);
}
/* BODY */
.body { padding: 52px 56px 48px; }
/* EXEC SUMMARY */
.exec-summary {
border: 1px solid var(--info-border);
border-top: 3px solid var(--navy);
background: var(--info-bg);
border-radius: 1px;
padding: 24px 28px;
margin-bottom: 52px;
font-size: 14.5px;
color: var(--info-text);
}
.exec-summary p { margin-bottom: 12px; }
.exec-summary p:last-child { margin-bottom: 0; }
.exec-summary strong { color: var(--navy); }
/* HEADINGS */
h2 {
font-size: 19px;
font-weight: 700;
color: var(--navy);
margin: 52px 0 18px;
letter-spacing: -0.25px;
}
.body > h2:first-of-type { margin-top: 0; }
h3 {
font-size: 11px;
font-weight: 700;
letter-spacing: 1.8px;
text-transform: uppercase;
color: var(--navy-muted);
margin: 32px 0 12px;
}
p { margin-bottom: 14px; }
/* DNS CARDS */
.dns-grid {
display: grid;
grid-template-columns: 1fr 1fr;
gap: 12px;
margin: 18px 0 26px;
}
.dns-card {
background: var(--danger-bg);
border: 1px solid var(--danger-border);
border-radius: 1px;
padding: 20px 22px 18px;
}
.dns-card .record-label {
font-size: 10px;
font-weight: 700;
letter-spacing: 2px;
text-transform: uppercase;
color: var(--danger-text);
opacity: 0.65;
margin-bottom: 6px;
}
.dns-card .record-status {
font-size: 15.5px;
font-weight: 700;
color: var(--danger-heading);
margin-bottom: 9px;
line-height: 1.2;
}
.dns-card .record-desc {
font-size: 12.5px;
color: oklch(40% 0.055 22);
line-height: 1.52;
}
/* CALLOUTS */
.callout {
display: grid;
grid-template-columns: 18px 1fr;
gap: 14px;
padding: 16px 22px;
border-radius: 1px;
border: 1px solid;
margin: 18px 0;
font-size: 14px;
align-items: start;
}
.callout-icon { font-size: 14px; margin-top: 2px; }
.callout-body strong { display: block; font-weight: 700; margin-bottom: 4px; }
.callout.danger { background: var(--danger-bg); border-color: var(--danger-border); color: var(--danger-text); }
.callout.success { background: var(--success-bg); border-color: var(--success-border); color: var(--success-text); }
.callout.info { background: var(--info-bg); border-color: var(--info-border); color: var(--info-text); }
/* TABLES */
.data-table {
width: 100%;
border-collapse: collapse;
margin: 16px 0 28px;
font-size: 13.5px;
}
.data-table thead tr { background: var(--navy); }
.data-table thead th {
padding: 12px 18px;
text-align: left;
font-size: 11.5px;
font-weight: 600;
letter-spacing: 0.4px;
color: oklch(93% 0.004 248);
}
.data-table tbody tr { border-bottom: 1px solid var(--border); }
.data-table tbody tr:nth-child(even) { background: oklch(98.5% 0.005 248); }
.data-table tbody td {
padding: 11px 18px;
vertical-align: middle;
}
.data-table tbody td:first-child { font-weight: 500; color: var(--text); }
/* BADGES */
.badge {
display: inline-block;
padding: 3px 10px;
border-radius: 2px;
font-size: 11.5px;
font-weight: 700;
letter-spacing: 0.2px;
border: 1px solid;
}
.badge.no { background: var(--danger-bg); border-color: var(--danger-border); color: var(--danger-text); }
.badge.yes { background: var(--success-bg); border-color: var(--success-border); color: var(--success-text); }
.badge.partial { background: oklch(97.5% 0.014 80); border-color: oklch(80% 0.12 80); color: oklch(40% 0.15 72); }
/* MAIL FLOW */
.mail-flow {
display: flex;
align-items: center;
flex-wrap: wrap;
gap: 8px;
background: oklch(98% 0.007 248);
border: 1px solid var(--border);
border-radius: 1px;
padding: 16px 20px;
margin: 14px 0 26px;
}
.flow-step {
background: var(--surface);
border: 1px solid var(--border-mid);
border-radius: 2px;
padding: 5px 13px;
font-size: 12.5px;
font-weight: 600;
color: var(--navy);
white-space: nowrap;
}
.flow-arrow { color: var(--amber-deep); font-size: 13px; font-weight: 700; }
.flow-note {
width: 100%;
font-size: 11.5px;
color: var(--text-muted);
margin-top: 6px;
padding-top: 10px;
border-top: 1px solid var(--border);
}
/* RULE BOX */
.rule-box {
background: oklch(98.5% 0.006 248);
border: 1px solid var(--border);
border-radius: 1px;
padding: 22px 26px;
margin: 18px 0;
}
.rule-box .rule-label {
font-size: 10px;
font-weight: 700;
letter-spacing: 2px;
text-transform: uppercase;
color: var(--navy-muted);
margin-bottom: 16px;
}
.rule-box ul { list-style: none; padding: 0; }
.rule-box ul li {
display: flex;
align-items: baseline;
gap: 13px;
font-size: 14px;
padding: 9px 0;
border-bottom: 1px solid var(--border);
color: var(--text);
}
.rule-box ul li:last-child { border-bottom: none; padding-bottom: 0; }
.rule-box ul li:first-child { padding-top: 0; }
.rule-box ul li::before {
content: '';
width: 6px;
height: 6px;
border-radius: 50%;
background: var(--amber);
flex-shrink: 0;
margin-top: 8px;
}
/* ACTION BOX */
.action-box {
background: var(--amber-deep);
border-radius: 1px;
padding: 32px 36px;
margin: 44px 0 40px;
}
.action-box .action-kicker {
font-size: 10px;
font-weight: 700;
letter-spacing: 2.5px;
text-transform: uppercase;
color: oklch(88% 0.07 62);
margin-bottom: 14px;
}
.action-box h2 {
font-size: 20px;
font-weight: 700;
color: oklch(99% 0.003 62);
margin: 0 0 18px;
letter-spacing: -0.2px;
}
.action-box p {
font-size: 14.5px;
color: oklch(93% 0.03 62);
margin-bottom: 12px;
line-height: 1.65;
}
.action-box p:last-child { margin-bottom: 0; }
.action-box strong { color: oklch(99% 0.003 62); }
/* TIMELINE */
.timeline {
margin: 22px 0 4px;
}
.tl-row {
display: grid;
grid-template-columns: 148px 32px 1fr;
min-height: 42px;
}
.tl-date {
font-size: 12.5px;
font-weight: 600;
color: var(--navy);
padding: 10px 16px 10px 0;
text-align: right;
white-space: nowrap;
line-height: 1.4;
}
.tl-gutter {
display: flex;
flex-direction: column;
align-items: center;
}
.tl-dot {
width: 10px;
height: 10px;
border-radius: 50%;
background: var(--amber);
margin-top: 13px;
flex-shrink: 0;
position: relative;
z-index: 1;
}
.tl-line {
width: 2px;
flex: 1;
background: var(--border);
margin-top: 3px;
margin-bottom: -2px;
}
.tl-text {
font-size: 13.5px;
color: var(--text-mid);
padding: 10px 0 10px 16px;
line-height: 1.55;
}
.tl-row:last-child .tl-line { display: none; }
/* DIVIDER */
.divider {
height: 1px;
background: var(--border);
margin: 48px 0;
}
/* FOOTER */
.footer {
background: var(--navy);
padding: 22px 56px;
display: flex;
justify-content: space-between;
align-items: center;
}
.footer-firm {
font-size: 13px;
font-weight: 700;
color: oklch(95% 0.005 248);
margin-bottom: 2px;
}
.footer-contact {
font-size: 12px;
color: oklch(64% 0.045 248);
}
.footer-right {
font-size: 11px;
color: oklch(50% 0.04 248);
text-align: right;
line-height: 1.65;
}
/* PRINT */
@media print {
body { background: white; }
.page { box-shadow: none; margin: 0; max-width: 100%; }
}
</style>
</head>
<body>
<div class="page">
<div class="amber-cap"></div>
<div class="header">
<div class="firm-name">Arizona Computer Guru LLC</div>
<h1>Email Infrastructure Assessment<br>and Migration Recommendation</h1>
<div class="confidential">Confidential — Prepared for Quantum WMS</div>
<div class="meta-strip">
<div class="meta-cell">
<div class="meta-label">Prepared for</div>
<div class="meta-value">John &amp; Sheila Velez, Quantum WMS</div>
</div>
<div class="meta-cell">
<div class="meta-label">Date</div>
<div class="meta-value">May 26, 2026</div>
</div>
<div class="meta-cell">
<div class="meta-label">Prepared by</div>
<div class="meta-value">Mike Swanson</div>
</div>
</div>
</div>
<div class="body">
<div class="exec-summary">
<p>Following our review of Quantum WMS's current email infrastructure, we have identified significant security deficiencies in your existing Intermedia hosted Exchange setup.</p>
<p>We are recommending a migration to <strong>Microsoft 365 Business Premium</strong> with <strong>Mailprotector</strong> as a managed email security frontend. This solution is technically superior, more cost-effective, and fully satisfies your regulatory compliance requirements under FINRA Rule 4511 and SEC Rule 17a-4.</p>
<p>Before we finalize the migration plan, we need one item from Sheila (detailed at the end of this document).</p>
</div>
<h2>Current State: Intermedia Hosted Exchange</h2>
<p>Your email is currently hosted by Intermedia on their Exchange Server cluster. This is an important distinction: <strong>Intermedia is not running Microsoft's cloud.</strong> They run Exchange Server software in their own data center, the same software that runs on an on-premises server. This has major security implications.</p>
<h3>Your Domain Has No Email Security Records</h3>
<p>Our DNS assessment revealed the following active security risks:</p>
<div class="dns-grid">
<div class="dns-card">
<div class="record-label">DMARC</div>
<div class="record-status">Missing</div>
<div class="record-desc">Anyone can send email appearing to come from @quantumwms.com with zero enforcement. This is the primary mechanism used in CEO fraud and vendor impersonation attacks.</div>
</div>
<div class="dns-card">
<div class="record-label">SPF</div>
<div class="record-status">Misconfigured (2 records)</div>
<div class="record-desc">Internet standards allow only one SPF record per domain. Having two causes unpredictable authentication failures and can result in your legitimate email being rejected as spam.</div>
</div>
<div class="dns-card">
<div class="record-label">DKIM</div>
<div class="record-status">Not Configured</div>
<div class="record-desc">DKIM cryptographically signs outbound email, proving it originated from your server and was not tampered with in transit. Without it, recipients cannot fully authenticate your email.</div>
</div>
<div class="dns-card">
<div class="record-label">DNSSEC</div>
<div class="record-status">Not Signed</div>
<div class="record-desc">Your domain has no cryptographic protection against DNS hijacking or spoofing attacks at the infrastructure layer.</div>
</div>
</div>
<div class="callout danger">
<span class="callout-icon">&#9888;</span>
<div class="callout-body">
<strong>These issues exist today, regardless of which email platform you use.</strong>
Correcting them is a required step and one we will handle as part of the migration.
</div>
</div>
<h3>Exchange Server CVE Exposure</h3>
<p>Because Intermedia runs Exchange Server — not Exchange Online — your infrastructure is subject to the same critical vulnerabilities that have affected on-premises Exchange servers globally:</p>
<table class="data-table">
<thead>
<tr>
<th>Vulnerability</th>
<th>Disclosed</th>
<th>Impact</th>
</tr>
</thead>
<tbody>
<tr><td>ProxyLogon (CVE-2021-26855)</td><td>March 2021</td><td>Full server compromise, mass-exploited worldwide</td></tr>
<tr><td>ProxyShell (CVE-2021-34473)</td><td>August 2021</td><td>Remote code execution without authentication</td></tr>
<tr><td>ProxyNotShell (CVE-2022-41040)</td><td>October 2022</td><td>Actively exploited before patch availability</td></tr>
<tr><td>OWASSRF (CVE-2022-41080)</td><td>December 2022</td><td>Used in the Rackspace hosted Exchange breach</td></tr>
</tbody>
</table>
<p><strong>Microsoft patches Exchange Online the same day vulnerabilities are disclosed.</strong> Intermedia patches their hosted clusters on their own schedule. The gap between disclosure and deployment is precisely when attacks occur.</p>
<div class="divider"></div>
<h2>Recommended Solution: M365 Business Premium + Mailprotector</h2>
<h3>Microsoft 365 Business Premium — $22/user/month</h3>
<p>A complete cloud-native productivity and security platform that replaces Intermedia entirely:</p>
<table class="data-table">
<thead>
<tr><th>Service</th><th>What It Provides</th></tr>
</thead>
<tbody>
<tr><td>Exchange Online</td><td>Cloud email, Microsoft-managed, same-day security patching</td></tr>
<tr><td>Office Apps (Desktop)</td><td>Word, Excel, Outlook, PowerPoint on up to 5 devices per user</td></tr>
<tr><td>Microsoft Teams</td><td>Chat, video conferencing, file collaboration</td></tr>
<tr><td>OneDrive / SharePoint</td><td>1 TB cloud file storage per user</td></tr>
<tr><td>Microsoft Purview</td><td>FINRA/SEC 17a-4 compliant email archiving (WORM storage) — included</td></tr>
<tr><td>Defender for Office 365</td><td>Safe Links, Safe Attachments, advanced anti-phishing</td></tr>
<tr><td>Microsoft Entra ID P1</td><td>Conditional Access, MFA enforcement, sign-in risk detection</td></tr>
<tr><td>Microsoft Intune</td><td>Mobile device and PC management</td></tr>
</tbody>
</table>
<h3>Mailprotector — ACG-Managed Email Security Frontend</h3>
<p>Mailprotector sits in front of Exchange Online as an additional filtering layer: inbound spam and malware are blocked before mail reaches your inbox. ACG configures and monitors it; you do not need to manage it.</p>
<div class="mail-flow">
<span class="flow-step">Sender</span>
<span class="flow-arrow">&#8594;</span>
<span class="flow-step">Mailprotector</span>
<span class="flow-arrow">&#8594;</span>
<span class="flow-step">Exchange Online</span>
<span class="flow-arrow">&#8594;</span>
<span class="flow-step">Your Inbox</span>
<div class="flow-note">Inbound: filtered for spam and malware before delivery &nbsp;·&nbsp; Outbound: DKIM-signed, SPF-aligned, DMARC-enforced</div>
</div>
<h3>Security Posture Comparison</h3>
<table class="data-table">
<thead>
<tr>
<th>Capability</th>
<th>Intermedia (Current)</th>
<th>M365 + Mailprotector</th>
</tr>
</thead>
<tbody>
<tr>
<td>Exchange CVE Exposure</td>
<td><span class="badge no">Yes — Server CVEs</span></td>
<td><span class="badge yes">No — Exchange Online</span></td>
</tr>
<tr>
<td>Same-Day Security Patching</td>
<td><span class="badge no">No</span></td>
<td><span class="badge yes">Yes</span></td>
</tr>
<tr>
<td>Inbound Threat Filtering</td>
<td><span class="badge partial">Basic</span></td>
<td><span class="badge yes">Mailprotector + Defender</span></td>
</tr>
<tr>
<td>Safe Links / Safe Attachments</td>
<td><span class="badge no">No</span></td>
<td><span class="badge yes">Yes</span></td>
</tr>
<tr>
<td>MFA Enforcement Policy</td>
<td><span class="badge partial">Manual, per-user</span></td>
<td><span class="badge yes">Conditional Access (Entra P1)</span></td>
</tr>
<tr>
<td>DMARC / DKIM / SPF</td>
<td><span class="badge no">Not managed</span></td>
<td><span class="badge yes">ACG-configured</span></td>
</tr>
<tr>
<td>FINRA/SEC 17a-4 Archiving</td>
<td><span class="badge partial">Extra-cost add-on</span></td>
<td><span class="badge yes">Included (Purview)</span></td>
</tr>
<tr>
<td>Desktop Office Apps</td>
<td><span class="badge no">No</span></td>
<td><span class="badge yes">Yes</span></td>
</tr>
<tr>
<td>Mobile Device Management</td>
<td><span class="badge no">No</span></td>
<td><span class="badge yes">Yes (Intune)</span></td>
</tr>
<tr>
<td>Sign-In Risk Detection</td>
<td><span class="badge no">No</span></td>
<td><span class="badge yes">Yes (Entra P1)</span></td>
</tr>
</tbody>
</table>
<div class="divider"></div>
<h2>Regarding Your Broker/Dealer Compliance Requirement</h2>
<p>You have indicated that your Broker/Dealer may require Intermedia for compliance purposes. We want to address this directly.</p>
<div class="rule-box">
<div class="rule-label">What FINRA Rule 4511 &amp; SEC Rule 17a-4 Actually Require</div>
<ul>
<li>Electronic communication retention in non-rewritable, non-erasable (WORM) storage</li>
<li>Minimum retention: 3 years readily accessible, 6 years total</li>
<li>Records indexed and available for regulatory inspection on demand</li>
<li>Supervisory review capability</li>
</ul>
</div>
<div class="callout success">
<span class="callout-icon">&#10003;</span>
<div class="callout-body">
<strong>Microsoft 365 is fully FINRA/SEC 17a-4 compliant.</strong>
Microsoft Purview has received a formal compliance assessment from Cohasset Associates confirming that Exchange Online meets the requirements of SEC Rule 17a-4(f) and CFTC Rule 1.31. The majority of FINRA-registered broker/dealers run on Exchange Online today.
</div>
</div>
<div class="callout info">
<span class="callout-icon">&#8505;</span>
<div class="callout-body">
<strong>The regulations specify outcomes, not vendors.</strong>
FINRA Rule 4511 and SEC Rule 17a-4 do not name Intermedia or any specific platform as a required provider. If your Broker/Dealer's written policy names Intermedia explicitly, we would consider that extraordinary and recommend reviewing it with your compliance attorney.
</div>
</div>
<div class="action-box">
<div class="action-kicker">Action Required — Sheila</div>
<h2>Please Provide the Written Policy Before Our Meeting</h2>
<p>Please locate and provide the <strong>written policy from your Broker/Dealer</strong> that specifies your email and security compliance requirements.</p>
<p>We are looking for any document that defines which platforms are approved or required, specifies archiving or retention standards, or names Intermedia as a required provider.</p>
<p>Please have this document — or confirmation that no such document exists — ready for our meeting on <strong>Tuesday, May 27 at 2:00 PM</strong>.</p>
</div>
<h2>Proposed Timeline</h2>
<div class="timeline">
<div class="tl-row">
<div class="tl-date">Now &rarr; May 27</div>
<div class="tl-gutter"><div class="tl-dot"></div><div class="tl-line"></div></div>
<div class="tl-text">Sheila obtains B/D compliance policy; confirm Intermedia is not mandated</div>
</div>
<div class="tl-row">
<div class="tl-date">May 27, 2:00 PM</div>
<div class="tl-gutter"><div class="tl-dot"></div><div class="tl-line"></div></div>
<div class="tl-text">Review policy; confirm migration go/no-go; finalize license counts</div>
</div>
<div class="tl-row">
<div class="tl-date">May 28 &ndash; 29</div>
<div class="tl-gutter"><div class="tl-dot"></div><div class="tl-line"></div></div>
<div class="tl-text">Purchase Business Premium licenses; configure tenant and mailboxes</div>
</div>
<div class="tl-row">
<div class="tl-date">May 30 &ndash; 31</div>
<div class="tl-gutter"><div class="tl-dot"></div><div class="tl-line"></div></div>
<div class="tl-text">Set up Mailprotector; configure DMARC, DKIM, SPF; test mail flow</div>
</div>
<div class="tl-row">
<div class="tl-date">June 1 &ndash; 2</div>
<div class="tl-gutter"><div class="tl-dot"></div><div class="tl-line"></div></div>
<div class="tl-text">Mail migration from Intermedia; DNS cutover to Exchange Online</div>
</div>
<div class="tl-row">
<div class="tl-date">June 3</div>
<div class="tl-gutter"><div class="tl-dot"></div></div>
<div class="tl-text">Current GoDaddy O365 Essentials lapses. New Business Premium is live before this date.</div>
</div>
</div>
</div>
<div class="footer">
<div>
<div class="footer-firm">Arizona Computer Guru LLC</div>
<div class="footer-contact">mike@azcomputerguru.com &nbsp;·&nbsp; (520) 226-3987</div>
</div>
<div class="footer-right">
Confidential — Quantum WMS<br>
May 26, 2026
</div>
</div>
</div>
</body>
</html>

237
clients/quantumwms/reports/2026-05-26-email-infrastructure-assessment.txt Normal file
View File

@@ -0,0 +1,237 @@
EMAIL INFRASTRUCTURE ASSESSMENT & MIGRATION RECOMMENDATION
Arizona Computer Guru LLC
Prepared for: John Velez & Sheila Peress, Quantum WMS
Date: May 26, 2026
Prepared by: Mike Swanson
================================================================================
EXECUTIVE SUMMARY
================================================================================
Following our review of Quantum WMS's current email infrastructure, we have
identified significant security deficiencies in the current Intermedia hosted
Exchange setup and have confirmed that a migration to Microsoft 365 Business
Premium is technically superior, more cost-effective, and fully satisfies your
regulatory compliance requirements under FINRA Rule 4511 and SEC Rule 17a-4.
We are recommending: Microsoft 365 Business Premium (exchange and full Office
suite) with Mailprotector as a managed email security frontend.
Before we proceed, we need one item from Sheila: the written policy from your
Broker/Dealer specifying email and security compliance requirements. Details
at the end of this document.
================================================================================
CURRENT STATE: INTERMEDIA HOSTED EXCHANGE
================================================================================
Your current email is hosted by Intermedia on their "exch090" Exchange Server
cluster. This is important to understand: Intermedia is not running Microsoft's
cloud. They are running Exchange Server software in their own data center —
the same software that runs on an on-premises server. This distinction has
major security implications.
CRITICAL: YOUR DOMAIN HAS NO EMAIL SECURITY RECORDS
----------------------------------------------------
During our assessment we found the following DNS configuration issues that
represent active security risks today:
DMARC Record: MISSING
-----------------------------------------------------------------------
DMARC is what tells the internet what to do with email that claims to
be from @quantumwms.com but wasn't sent by your mail server. Without
it, anyone in the world can send email that appears to come from your
domain with no enforcement. This is the primary mechanism used in
CEO fraud and vendor impersonation attacks.
SPF Records: TWO RECORDS (misconfiguration)
-----------------------------------------------------------------------
Your domain has two conflicting SPF records:
Record 1: v=spf1 include:spf.intermedia.net -all
Record 2: v=spf1 include:_spf-usg1.ppe-hosted.com
include:secureserver.net ~all
Internet standards (RFC 7208) permit only ONE SPF record per domain.
Having two causes receiving mail servers to evaluate them unpredictably,
which can result in your legitimate email being marked as spam or
rejected outright.
DKIM: NOT CONFIGURED
-----------------------------------------------------------------------
DKIM cryptographically signs outbound email, proving it originated
from your mail server and has not been tampered with in transit.
Without it, your email cannot be fully authenticated by recipients.
These three issues exist independently of which email platform you use and
need to be corrected as part of any migration.
SECURITY RISKS: EXCHANGE SERVER CVE EXPOSURE
--------------------------------------------
Because Intermedia runs Exchange Server (not Exchange Online), your email
infrastructure is subject to the same vulnerabilities that have affected
on-premises Exchange servers worldwide over the past several years:
- ProxyLogon (CVE-2021-26855) — mass-exploited March 2021
- ProxyShell (CVE-2021-34473) — mass-exploited August 2021
- ProxyNotShell (CVE-2022-41040) — actively exploited October 2022
- OWASSRF (CVE-2022-41080) — Rackspace breach, December 2022
Microsoft patches Exchange Online the same day vulnerabilities are
disclosed. Intermedia patches their hosted Exchange clusters on their
own schedule. The gap between disclosure and patch deployment is when
attacks occur.
WHAT INTERMEDIA DOES NOT PROVIDE
---------------------------------
- Advanced threat protection (no Safe Links, Safe Attachments)
- Conditional Access / MFA enforcement policies
- Modern email archiving with FINRA compliance certification
- Desktop Office applications (Word, Excel, Outlook, etc.)
- Mobile device management
- Identity protection or sign-in risk detection
================================================================================
RECOMMENDED SOLUTION: M365 BUSINESS PREMIUM + MAILPROTECTOR
================================================================================
MICROSOFT 365 BUSINESS PREMIUM
-------------------------------
$22/user/month (direct) — includes:
Exchange Online Full cloud email, Microsoft-managed, same-day patching
Desktop Office Apps Word, Excel, Outlook, PowerPoint, OneNote (5 devices)
Microsoft Teams Chat, video, file collaboration
SharePoint / OneDrive 1 TB cloud file storage per user
Microsoft Purview FINRA/SEC 17a-4 compliant email archiving (WORM)
Defender for Office 365 Safe Links, Safe Attachments, anti-phishing (Plan 1)
Microsoft Entra ID P1 Conditional Access, MFA enforcement, sign-in risk
Microsoft Intune Mobile device and PC management
MAILPROTECTOR (ACG-MANAGED FRONTEND)
-------------------------------------
Mailprotector sits in front of Exchange Online as an additional email
security layer, providing:
- Inbound spam and malware filtering before mail reaches Exchange
- Outbound filtering and DLP
- Quarantine management
- ACG-managed — we handle configuration, updates, and tuning
WHAT THIS LOOKS LIKE DAY-TO-DAY
--------------------------------
Inbound mail path:
Sender -> Mailprotector (spam/malware filter) -> Exchange Online -> Outlook
Outbound mail path:
Outlook -> Exchange Online -> Internet (DKIM-signed, SPF-aligned, DMARC-enforced)
Result: your outbound email is cryptographically authenticated, and your
inbound email is filtered twice before reaching your inbox.
SECURITY POSTURE COMPARISON
----------------------------
Intermedia M365 Business Premium
+ Mailprotector
-----------------------------------------------------------------------
Exchange CVE exposure Yes (Exchange Server) No (Exchange Online)
Same-day security patching No (Intermedia pace) Yes (Microsoft)
Inbound threat filtering Basic Mailprotector + Defender
Safe Links (URL scanning) No Yes
Safe Attachments No Yes
MFA enforcement policy Manual, per-user Conditional Access (P1)
DMARC/DKIM/SPF Not managed ACG-configured
Email archiving (FINRA) Extra cost add-on Included (Purview)
Desktop Office apps No Yes
Mobile device management No Yes (Intune)
Sign-in risk detection No Yes (Entra P1)
-----------------------------------------------------------------------
================================================================================
REGARDING YOUR BROKER/DEALER COMPLIANCE REQUIREMENT
================================================================================
You have indicated that your Broker/Dealer may require Intermedia for
compliance purposes. We want to address this directly.
WHAT FINRA RULE 4511 AND SEC RULE 17a-4 ACTUALLY REQUIRE:
The regulations require that broker/dealers retain electronic
communications (including email) in a format that is:
1. Non-rewritable and non-erasable (WORM storage)
2. Retained for a minimum period (3 years accessible, 6 total)
3. Indexed and available for regulatory inspection on demand
4. Subject to supervisory review
The regulations do NOT name any specific vendor or platform.
They specify outcomes, not products.
MICROSOFT 365 IS FINRA/SEC 17a-4 COMPLIANT:
Microsoft Purview Compliance (included in Business Premium) has received
a formal compliance assessment from Cohasset Associates confirming that
Exchange Online and SharePoint Online meet the requirements of SEC Rule
17a-4(f) and CFTC Rule 1.31. This assessment is publicly available.
The majority of FINRA-registered broker/dealers — including large
institutions — run on Exchange Online today. FINRA has published
guidance explicitly endorsing cloud-based recordkeeping solutions.
OUR EXPECTATION:
If your Broker/Dealer has a written policy specifying Intermedia by
name as the required platform, we would consider that extraordinary and
would want to review it alongside your compliance attorney. In our
experience, B/D policies specify archiving standards, not vendors.
================================================================================
ACTION REQUIRED FROM SHEILA — BEFORE OUR MEETING TOMORROW AT 2 PM
================================================================================
Please locate and provide the written policy from your Broker/Dealer that
specifies your email and security compliance requirements.
Specifically, we are looking for any document that:
- Defines which email platforms are approved or required
- Specifies archiving or retention requirements for electronic communications
- Names Intermedia (or any vendor) as a required provider
If no such document exists, or if the policy specifies standards rather
than a named vendor, we can proceed with the Microsoft 365 migration on
the timeline we discussed.
Please have this document (or confirmation that it does not exist) ready
for our meeting on Tuesday, May 27 at 2:00 PM.
If you have questions before then, call or text Mike at Arizona Computer
Guru.
================================================================================
PROPOSED TIMELINE
================================================================================
Now through May 27: Sheila obtains B/D compliance policy
May 27 (2 PM): Review policy; confirm migration go/no-go
May 28-29: Purchase licenses; configure tenant
May 30-31: Stand up mailboxes; configure Mailprotector
June 1-2: Mail migration from Intermedia; DNS cutover
June 3: Current GoDaddy O365 Essentials lapses — new
Business Premium is live before this date
================================================================================
Arizona Computer Guru LLC
Mike Swanson
mike@azcomputerguru.com
(520) 226-3987
================================================================================

72
session-logs/2026-05-26-session.md
View File

@@ -548,3 +548,75 @@ GET http://172.16.3.30:3001/api/commands/{command_id}
- quantumwms.com consent URL: https://login.microsoftonline.com/ddf3d2c9-b76c-40d9-a216-9f11a1a26f97/adminconsent?client_id=709e6eed-0711-4875-9c44-2d3518c47063&redirect_uri=https://azcomputerguru.com&prompt=consent - quantumwms.com consent URL: https://login.microsoftonline.com/ddf3d2c9-b76c-40d9-a216-9f11a1a26f97/adminconsent?client_id=709e6eed-0711-4875-9c44-2d3518c47063&redirect_uri=https://azcomputerguru.com&prompt=consent
- GuruRMM: http://172.16.3.30:3001 | admin@azcomputerguru.com / GuruRMM2025 - GuruRMM: http://172.16.3.30:3001 | admin@azcomputerguru.com / GuruRMM2025
- Vault commit: 86a5586 | guru-rmm: 1a00912 | claudetools: 464d28a - Vault commit: 86a5586 | guru-rmm: 1a00912 | claudetools: 464d28a
---
## Update: 15:56 PT — wiki-compile skill, Syncro billing/comment, GuruScan packaging, GND-SERVER Datto investigation
### Session Summary
Switched to Opus 4.7 (model selection happens at conversation start; cannot change mid-session — user started fresh selection). Answered a Microsoft CSP-direct question: ACG currently resells via PAX8 (indirect); Direct Bill requires $300K trailing-12-month Microsoft revenue + a support contract, so it is not accessible yet — the realistic path is to grow CSP revenue through PAX8 and apply when approaching the threshold.
Designed and built a new `/wiki-compile` skill (it was referenced in CLAUDE.md but never implemented). It seeds or refreshes client wiki articles from session logs plus live Syncro data. Three modes: seed (new article, full Ollama synthesis), refresh (existing article, surgical update of dynamic fields only), and `--full` (force recompile preserving Patterns/History). Syncro is authoritative for all billing fields (hours remaining, rate, contract type, customer ID, asset count). Customer-not-found fails gracefully (continue with logs only); ambiguous search pauses and asks; asset count only (no detail tables). Also added Step 6 to `/wiki-lint`: pull live `prepay_hours` for every client article with a Syncro customer ID and auto-fix stale hours in place, committing fixes in one batch. Committed as d9ab515.
Created Cascades Syncro ticket #32324 (onsite meeting with access control vendor) and billed 0.5 hr onsite against the prepaid block — invoice $0.00, block decremented 29.0 -> 28.5 (verified). Added a public, customer-emailed comment to Grabb & Durando ticket #32279 (Richard Glabman) apologizing for the wifi equipment-quote delay and promising an update tomorrow; created a coord todo (due 2026-05-27) to follow up.
Reviewed GuruScan (Howard's new standalone multi-scanner malware suite, pulled in this session's sync at 3a0c83d/64374e3). Sent Howard four coord messages: (1) repo gaps + suggestion to package as an RMM-callable PowerShell module, (2) dual-mode design so it stays stand-alone (one module core + two entry points + pluggable output/AI sink, explicit `-OutputSink` defaulting to stand-alone), (3) signing note pointing at the existing Azure Trusted Signing infra. Saved a feedback memory: point vault-access teammates at the SOPS path rather than transcribing entry fields into messages.
Investigated a Datto Workplace "Deletion request denied by OS" alert on Grabb & Durando's GND-SERVER for `opp.msj.docx` in the BRILLON, BARBARA litigation drafts. Root cause: the BRILLON matter was closed and moved to `F:\Shares\Closed Files`; the move = copy + delete-at-source, and Workplace's delete of opp.msj.docx was momentarily denied because the file was open/locked. The file is intact in Closed Files. Per user direction, deleted the now-empty source matter folder (guarded delete — verified 0 files recursively first) to let Datto reconcile the pending delete and clear the alert.
### Key Decisions
- **/wiki-compile: Syncro is the source of truth for billing fields, not session logs.** Session logs go stale; the live customer record does not. Refresh mode updates only hours + active tickets + frontmatter, never Patterns/History (those need human review or `--full`).
- **wiki-lint auto-fixes stale hours but only flags ticket-status drift.** Hours are a single deterministic field safe to overwrite; ticket/narrative changes are not, so they are surfaced for review.
- **GuruScan stand-alone vs RMM is not a mode of the scanner** — it is the caller + a pluggable output sink. One module core returning structured objects; stand-alone is just the default disk sink, RMM is an additive entry point. Avoids forking scan logic.
- **GND-SERVER: guarded delete only.** Embedded a guard in the PowerShell so the source folder is deleted ONLY if zero files exist recursively — refused to risk deleting un-moved litigation data. Confirmed content preserved in Closed Files + twice-daily VSS before acting.
- **Did not restore the "deleted" file** — investigation showed it was an intentional matter-close/move, not data loss, so no recovery was warranted.
### Problems Encountered
- **Coord todos POST schema:** first attempt used `title`/`detail`; the API requires `text`, `created_by_user`, `created_by_machine`. Inspected an existing todo to get the shape, then retried successfully (Glabman todo 1bf0cfef).
- **`/tmp` path mismatch (again):** handing a Git Bash `/tmp/*.ps1` path to Windows `py` failed (FileNotFoundError) — Windows Python can't resolve the POSIX path. Fixed by using `jq -Rs` (fed by bash redirection) for all JSON payload building/parsing instead of `py`. This is the documented Windows /tmp gotcha.
- **RMM command poll timeouts:** the recursive Closed Files search on a 3.7 TB law-firm archive ran longer than the foreground poll window; switched to a background long-poll and fetched the command result by ID once complete.
### Configuration Changes
- CREATED `.claude/commands/wiki-compile.md` — new skill (committed d9ab515)
- MODIFIED `.claude/commands/wiki-lint.md` — added Step 6 (Syncro live-check auto-fix) + report section (committed d9ab515)
- CREATED `.claude/memory/feedback_vault_pointer_for_teammates.md` + index entry in `.claude/memory/MEMORY.md`
- DELETED on GND-SERVER: `F:\Shares\Company Data\CLIENTS\BRILLON, BARBARA` (empty source matter folder, post-move cleanup)
### Credentials & Secrets
- No new secrets created. GuruRMM API auth: `infrastructure/gururmm-server.sops.yaml` -> `credentials.gururmm-api.admin-email` / `admin-password` (login returns ~24h JWT).
- Azure Trusted Signing details in `services/azure-trusted-signing.sops.yaml` (public-trust, CN=Arizona Computer Guru LLC; sign.ps1 wrapper on Pluto; build SP on 172.16.3.30:/etc/gururmm-signing.env).
### Infrastructure & Servers
- **GND-SERVER (Grabb & Durando):** GuruRMM agent ID `cd086074-6766-46b5-93ad-382df97b1f54` (v0.6.39, online), site `d526d700-7210-48b1-94a9-40c87a29dc25`. Windows Server 2019, domain `gd.local`.
- `F:` = local volume `DATA_VOL`, 3.7 TB (NOT a network mapping — it is the server's data drive; users' mappings point at its shares).
- SMB shares: `Company Data` -> `F:\Shares\Company Data`; `Closed Files` -> `F:\Shares\Closed Files`; `Business` -> `F:\Shares\Business`; plus C:\ServerFolders\* (Folder Redirection, Users, Company).
- VSS previous-versions enabled on F: — twice-daily (7 AM + 12 PM) snapshots back to 2026-04-13.
- Datto Workplace Server service `datto_workplace_server.default` (LocalSystem) + `Datto_FSA.VssHelper`; team ID `517722` (HKLM:\SOFTWARE\WOW6432Node\Datto\Workplace Server\services\default\client.workplace.datto.com\517722).
- **Cascades:** Syncro customer 20149445, prepaid block, onsite labor product 26118 @ $175/hr, taxable false. Block 28.5 hrs after this session.
- **Grabb & Durando:** Syncro customer 7088463 (Deere Park Development, LLC / Richard Glabman, rglabman@dpa-inc.com).
### Commands & Outputs
- GuruRMM run-on-agent pattern: login -> JWT; `POST /api/agents/{id}/command` with `{command_type:"powershell", command:...}` (build payload with `jq -Rs`); poll `GET /api/commands/{id}` for status/stdout.
- BRILLON file located: `F:\Shares\Closed Files\BRILLON, BARBARA\LITIGATION\DRAFTS\opp.msj.docx` (39183 bytes) + a doubled-nested copy + `opp.msj (2).docx` (move/merge artifacts).
- Guarded delete result: `RESULT: DELETED empty source folder: F:\Shares\Company Data\CLIENTS\BRILLON, BARBARA` (0 files recursive).
### Pending / Incomplete Tasks
- **GND-SERVER Datto alert:** deletion synced; confirm the alert clears via Workplace Online (server status green) or absence of a new alert email. Offered to tail Datto Workplace Server logs server-side for confirmation — not yet done.
- **Optional:** fold GND-SERVER drive/share/VSS/Datto details into `wiki/clients/grabb-durando.md` (Infrastructure section currently blank for drives/backup).
- (Carried) quantumwms.com John Velez consent; 2x Business Premium before 2026-06-03; Autotask skill build; Western Tire #32199 billing; Kittle HIGH; GuruRMM fix/audit-2-remediation merge.
### Reference Information
- Commit: d9ab515 (wiki-compile + wiki-lint Syncro step). Pulled this session: 64374e3, 3a0c83d (Howard — GuruScan).
- Cascades: ticket #32324 (id 111060920), invoice 1650416726, comment id 413109831 — https://computerguru.syncromsp.com/tickets/111060920
- Grabb & Durando: ticket #32279 (id 110305905), comment id 413112462, todo 1bf0cfef (due 2026-05-27) — https://computerguru.syncromsp.com/tickets/110305905
- Coord messages to Howard (HOWARD-HOME/claude-main): ac6b35e2 (gaps+packaging), 43f8795b (dual-mode), 1e5c92a9 (signing)
- GuruScan: projects/msp-tools/guru-scan/ (6 PowerShell scripts; scanner chain RKill->AdwCleaner->Emsisoft->HitmanPro->ESET)

159
wiki/clients/quantumwms.md Normal file
View File

@@ -0,0 +1,159 @@
---
title: Quantum WMS
slug: quantumwms
type: client
project_key: clients/quantumwms
last_updated: 2026-05-26
---
# Quantum WMS
## Overview
| Field | Value |
|---|---|
| Company | Quantum WMS |
| Primary domain | quantumwms.com |
| Personal domain | sheilaperess.com |
| M365 tenant | `NETORGFT2570783.onmicrosoft.com` / `8f7eaff4-f913-4d3f-b8b9-92e695d987c6` |
| GoDaddy admin | `plan@johnvelez.com` (John Velez) — ACG has delegate access |
| Project key | `clients/quantumwms` |
## Contacts
| Name | Role | Notes |
|---|---|---|
| John Velez | Primary / M365 global admin | plan@johnvelez.com; GoDaddy account owner for both domains |
| Sheila Peress | Owner/principal | sheilaperess.com personal domain; compliance decision-maker; final say on license tier |
## Current Email Infrastructure
- **Registrar:** GoDaddy (quantumwms.com + sheilaperess.com) — ACG has delegate access
- **DNS:** GoDaddy DomainControl (NS03/NS04.DOMAINCONTROL.COM) — no DNSSEC
- **Mail routing:** Intermedia hosted Exchange — `exch090.serverdata.net` cluster (east/west)
- IP: `64.78.25.106` (Intermedia data center)
- Autodiscover: `ar-east.exch090.serverdata.net`
- This is Exchange Server software hosted by Intermedia, NOT Exchange Online
- **Intermedia setup:** Appears hybrid on-premises Exchange — carries full Exchange Server CVE exposure
### DNS / Email Security Gaps (CRITICAL)
| Record | Status | Impact |
|---|---|---|
| DMARC | **MISSING** | Anyone can spoof @quantumwms.com with no enforcement |
| SPF | **TWO RECORDS** (misconfiguration) | RFC 7208 allows only one; causes unpredictable SPF evaluation and deliverability failures |
| DKIM | Not found on standard selectors | Outbound mail not cryptographically signed |
| DNSSEC | Not signed | Domain hijack risk |
SPF records found (conflict):
1. `v=spf1 include:spf.intermedia.net -all`
2. `v=spf1 include:_spf-usg1.ppe-hosted.com include:secureserver.net ~all`
## M365 Tenant (GoDaddy/johnvelez.com)
- **Tenant created:** 2016-12-05 (GoDaddy-provisioned)
- **onmicrosoft domain:** `NETORGFT2570783.onmicrosoft.com`
- **quantumwms.com** is NOT a verified domain in this tenant — email runs entirely through Intermedia
- **Remediation app consent:** Tenant Admin tier consented by John (plan@johnvelez.com) 2026-05-26
### Users
| UPN | Display | Licenses | Notes |
|---|---|---|---|
| `plan@johnvelez.com` | John Velez | O365 Business Essentials + Flow Free | Active — no desktop Office apps |
| `admin@NETORGFT2570783.onmicrosoft.com` | johnvelez.com | None | GoDaddy admin account |
| `john__quantumwms.com@NETORGFT2570783.onmicrosoft.com` | john@quantumwms.com | None | Shell account, no mailbox, created 2026-03-16 |
| `migrationapp@NETORGFT2570783.onmicrosoft.com` | SkyKick Inc. | None | Old 2016 migration app account |
### Consent URL (Tenant Admin tier)
```
https://login.microsoftonline.com/8f7eaff4-f913-4d3f-b8b9-92e695d987c6/adminconsent?client_id=709e6eed-0711-4875-9c44-2d3518c47063&redirect_uri=https://azcomputerguru.com&prompt=consent
```
Post-consent onboard command:
```bash
bash onboard-tenant.sh 8f7eaff4-f913-4d3f-b8b9-92e695d987c6
```
## Compliance Context: Broker/Dealer Requirements
John and Sheila believe Intermedia is mandated by their Broker/Dealer. **This is almost certainly incorrect.**
### What SEC Rule 17a-4 / FINRA Rule 4511 actually require
- Electronic communication retention (3 years accessible, 6 years total for most records)
- Non-rewritable, non-erasable (WORM-compliant) archiving
- Supervisory review capability
- Ability to produce records on regulatory demand
### What they do NOT require
- Intermedia specifically
- Any named third-party vendor
- Exchange Server or hosted Exchange
### Microsoft 365 satisfies all FINRA/17a-4 requirements
Microsoft Purview (included in Business Premium) provides WORM-compliant archiving with a CFTC/SEC 17a-4 compliance attestation from Cohasset Associates. The majority of FINRA-registered broker/dealers run on Exchange Online. FINRA has published guidance explicitly endorsing cloud-based recordkeeping.
### Action item (BLOCKER)
Sheila has been asked to produce **written policy from the Broker/Dealer that explicitly names Intermedia** as the required platform. This policy is expected not to exist — the B/D policy will require compliant archiving, not a specific vendor. Resolution expected before meeting 2026-05-27 14:00.
## Recommended Architecture: M365 Business Premium + Mailprotector
### License Plan
| Account | License | Domain |
|---|---|---|
| John (firm) | M365 Business Premium | quantumwms.com |
| Sheila (firm) | M365 Business Premium | quantumwms.com |
| Sheila (personal) | Exchange Online Plan 1 | sheilaperess.com |
| Others TBD | Exchange Online Plan 1 | TBD |
### What Business Premium provides over Intermedia
| Capability | Intermedia Hosted Exchange | M365 Business Premium |
|---|---|---|
| Email | Exchange Server (hosted) | Exchange Online (Microsoft cloud) |
| Exchange CVE exposure | YES — full Server CVE surface | No — Microsoft patches same-day |
| Spam/malware filtering | Basic | Defender for Office 365 Plan 1 (Safe Links, Safe Attachments) |
| Frontend filtering | None | Mailprotector (ACG-managed) |
| MFA enforcement | Manual | Entra ID P1 — Conditional Access |
| FINRA archiving | Intermedia archiver (extra cost) | Microsoft Purview — included |
| Desktop Office apps | No | Yes (Word, Excel, Outlook, etc.) |
| Mobile device management | No | Intune — included |
| DMARC/DKIM setup | Not managed | ACG-managed during migration |
### Migration Steps
1. [DONE] Get consent from John (2026-05-26)
2. Obtain written B/D compliance policy from Sheila — confirm no Intermedia mandate
3. Add quantumwms.com as verified domain to johnvelez.com tenant
4. Purchase 2x Business Premium (direct or ACG CSP)
5. Create firm mailboxes (john@quantumwms.com, sheila@quantumwms.com)
6. Assign Business Premium licenses
7. Set up Mailprotector frontend for quantumwms.com
8. Configure DMARC, fix SPF (single record), configure DKIM
9. Cut MX from Intermedia → Exchange Online
10. Migrate existing mail from Intermedia → Exchange Online
11. Activate Office apps on their machines
12. Cancel Intermedia after cutover confirmed
13. Move DNS (quantumwms.com + sheilaperess.com) to Cloudflare
14. Purchase Exchange Online Plan 1 for personal domain accounts
15. Cancel GoDaddy email hosting per account as each migrates
### GoDaddy Decoupling Plan
- DNS: move both domains to Cloudflare (transfer locks must be removed in GoDaddy first)
- M365 licensing: swap GoDaddy-resold O365 Business Essentials → Business Premium
- Intermedia: cancel after mail cutover confirmed
## Open Items
- [ ] **BLOCKER:** Sheila to produce B/D written policy on email compliance requirements (due 2026-05-27 14:00)
- [ ] Sheila to confirm: sheilaperess.com Exchange Online Plan 1 only vs. Business Basic upgrade
- [ ] Determine additional personal domain accounts beyond sheilaperess.com
- [ ] DNS cutover timing for both domains
- [ ] Confirm whether SkyKick migration app account (2016) can be deleted

1
wiki/index.md
View File

@@ -42,6 +42,7 @@ Run `/wiki-lint` to check for stale entries and broken backlinks.
| [Khalsa (two-site)](clients/khalsa.md) | Two-site client (Camden + River); onboarding not completed; domain khalsa.local, DC TROUT at 10.11.12.254; Mac domain-join runbook documented; template docs otherwise empty | 2026-05-24 | | [Khalsa (two-site)](clients/khalsa.md) | Two-site client (Camden + River); onboarding not completed; domain khalsa.local, DC TROUT at 10.11.12.254; Mac domain-join runbook documented; template docs otherwise empty | 2026-05-24 |
| [Anaise](clients/anaise.md) | Single workstation client; contact David (anaisedavid.office@gmail.com); DESKTOP-O8GF4SD; creds in vault at clients/anaise/desktop-o8gf4sd.sops.yaml; onboarding incomplete; M365 enrollment unconfirmed | 2026-05-24 | | [Anaise](clients/anaise.md) | Single workstation client; contact David (anaisedavid.office@gmail.com); DESKTOP-O8GF4SD; creds in vault at clients/anaise/desktop-o8gf4sd.sops.yaml; onboarding incomplete; M365 enrollment unconfirmed | 2026-05-24 |
| [ACG Website (azcomputerguru.com)](clients/azcomputerguru.com.md) | Public website redesign (Astro); score 33/40; placeholder testimonials + no-backend form are pre-launch blockers; OKLCH token design system; see internal-infrastructure.md for ACG servers | 2026-05-24 | | [ACG Website (azcomputerguru.com)](clients/azcomputerguru.com.md) | Public website redesign (Astro); score 33/40; placeholder testimonials + no-backend form are pre-launch blockers; OKLCH token design system; see internal-infrastructure.md for ACG servers | 2026-05-24 |
| [Quantum WMS](clients/quantumwms.md) | WMS company; quantumwms.com tenant (ddf3d2c9); GoDaddy decoupling + M365 migration; 2x Business Premium + Exchange Online Plan 1; deadline 2026-06-03; Tenant Admin consented 2026-05-26 | 2026-05-26 |
## Projects ## Projects