azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

wiki: seed remaining clients and projects (batch 3)

Browse Source 
Adds 11 client articles and 5 project articles:

Clients: kittle, khalsa, anaise, azcomputerguru.com, bg-builders,
evs, furrier, horseshoe-management, kittle-design, scileppi-law,
western-tire

Projects: discord-bot, radio-show, msp-pricing, wrightstown-smarthome,
wrightstown-solar

Updates wiki/index.md with all new entries, cross-references, and
removes seeded client:birthbiologic from compilation queue.

Critical findings surfaced:
- Kittle: WS2025 EVAL license, no backups, 3 plaintext creds in Syncro
- Western Tire: SSL cert *.westerntire.com expires 2026-05-30
- Kittle Design: active compromise (Ken inbox rule unresolved)
- Horseshoe Mgmt: plaintext creds for 5+ users in Syncro notes

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Mike Swanson
2026-05-24 19:59:40 -07:00
parent 30b8020edf
commit f4fb131529
17 changed files with 2426 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

141
wiki/clients/anaise.md Normal file
View File

@@ -0,0 +1,141 @@
---
type: client
name: anaise
display_name: Anaise
last_compiled: 2026-05-24
compiled_by: DESKTOP-0O8A1RL/claude-main
sources:
- clients/anaise/docs/overview.md
- clients/anaise/docs/cloud/m365.md
- clients/anaise/docs/cloud/azure.md
- clients/anaise/docs/rmm/rmm.md
- clients/anaise/docs/security/antivirus.md
- clients/anaise/docs/security/backup.md
- clients/anaise/docs/issues/log.md
- clients/anaise/docs/network/topology.md
- clients/anaise/docs/network/firewall.md
- clients/anaise/docs/network/dns.md
- clients/anaise/docs/network/dhcp.md
- clients/anaise/docs/network/vlans.md
- clients/anaise/PROJECT_STATE.md
---
# Anaise
## Overview
New client in ONBOARDING status as of 2026-04-16. Standard client directory structure applied by Howard. Single-site [unverified]. Onboarding is incomplete — only a primary contact name, email, and one workstation have been captured.
- **Business type:** *(not documented)*
- **Locations:** *(not documented — single site assumed [unverified])*
- **Total users:** *(not documented — at minimum 1 user: David)*
- **Billing model:** *(not documented)*
- **Billing rate:** *(not documented)*
- **Contract status:** ONBOARDING — terms not yet documented
- **Hours remaining:** *(not documented)*
[WARNING] Almost all template fields across all docs are blank. The only substantive data is the primary contact (David), one workstation (DESKTOP-O8GF4SD), and a vault credential reference. Onboarding must be completed before this client can be effectively supported.
---
## Contacts
| Name | Title | Email | Phone |
|------|-------|-------|-------|
| David | Primary Contact [unverified — no title documented] | anaisedavid.office@gmail.com | *(not documented)* |
No IT contact, no secondary contacts documented.
---
## Infrastructure
Only one machine documented.
### Workstations
| Hostname | Username | OS | Notes |
|----------|----------|----|-------|
| DESKTOP-O8GF4SD | david | *(not documented)* | Credentials in SOPS vault — see below |
### Servers
*(not documented)*
### Credentials
Machine credentials are stored in the SOPS vault. **Do not put plaintext passwords in any file.**
- **DESKTOP-O8GF4SD / david:** `clients/anaise/desktop-o8gf4sd.sops.yaml``credentials.password`
- Retrieve: `bash $VAULT get-field clients/anaise/desktop-o8gf4sd.sops.yaml credentials.password`
---
## Network
All network template files (topology, firewall, DNS, DHCP, VLANs) are blank placeholders — no ISP, IPs, hardware, subnets, or VPN details documented.
- **Topology:** *(not documented — template only)*
- **Firewall:** *(not documented — template only)*
- **DNS:** *(not documented — template only)*
- **DHCP:** *(not documented — template only)*
- **VLANs:** Template defines VLAN IDs 1, 10, 20, 30, 40, 50, 60, 100 (standard schema) — no subnets or IPs filled in.
---
## Cloud / M365
All M365 and Azure template fields are blank. No tenant name, tenant ID, domain, licenses, Exchange settings, SharePoint, Teams, Entra, or Defender details are documented.
- **M365 tenant:** *(not documented)*
- **Azure subscription:** *(not documented)*
- **Other cloud services:** *(not documented)*
Note: David's contact email is a Gmail address (anaisedavid.office@gmail.com). It is unknown whether the organization uses M365 or Google Workspace, or neither. [unverified]
---
## GuruRMM
All RMM template fields are blank.
- **Client ID:** *(not documented)*
- **Site ID:** *(not documented)*
- **Enrolled agents:** *(not documented)*
- **Monitoring policies:** Template placeholders only — no client-specific values
- **Patch policy:** *(not documented)*
---
## Active Projects / Open Items
- [ ] Complete onboarding — capture infrastructure details, contacts, credentials to vault
- [ ] Populate all `docs/` templates with real data (network, servers, M365 or other email/cloud, backup, AV, RMM)
- [ ] Determine whether client uses M365, Google Workspace, or no cloud services
- [ ] Document workstation OS for DESKTOP-O8GF4SD
- [ ] Capture any additional users and machines
---
## Key Events / History
| Date | Event |
|------|-------|
| 2026-04-16 | Client directory created by Howard. Standard template applied. ONBOARDING status set. |
No issue log entries. No session logs exist for this client.
---
## Anti-Patterns / Warnings
- [WARNING] Onboarding is incomplete. Do not assume any template placeholder values are real — only contact name/email and one workstation credential vault reference are confirmed.
- [WARNING] Primary contact email is Gmail (anaisedavid.office@gmail.com). Do not assume M365 is in use — confirm cloud/email provider before attempting any M365 remediation or enrollment.
- Credential for DESKTOP-O8GF4SD is in vault only — never expose plaintext. Use vault wrapper to retrieve.
- No network, firewall, or server data exists. Do not attempt remote access without first completing the onboarding discovery.
---
## Backlinks
- [[wiki/index]] — client index

114
wiki/clients/azcomputerguru.com.md Normal file
View File

@@ -0,0 +1,114 @@
---
type: client
name: azcomputerguru.com
display_name: ACG Website (azcomputerguru.com)
last_compiled: 2026-05-24
compiled_by: DESKTOP-0O8A1RL/claude-main
sources:
- clients/azcomputerguru.com/session-logs/2026-05-22-session.md
---
# ACG Website (azcomputerguru.com)
> This article covers the public-facing azcomputerguru.com website only. For ACG's internal infrastructure (Neptune Exchange, Gitea, Jupiter, etc.), see [[internal-infrastructure]].
## Overview
The azcomputerguru.com website is Arizona Computer Guru's own public marketing site. As of 2026-05-22, it is being redesigned as a static Astro site with a custom design system, replacing the previous live site. The prototype is under active development in the `clients/azcomputerguru.com/` directory of the ClaudeTools repo.
- **Status:** Prototype in progress. Not yet deployed to production.
- **Billing model:** Internal / owner project — no client billing.
- **Contract status:** N/A (ACG's own site).
## Contacts
*(not documented)* — ACG internal project; no external client contacts.
## Infrastructure
### Production Hosting
- **Host:** IX Web Hosting (cPanel)
- **Deploy path:** `/public_html/`
- **Deployment method:** Manual file upload (no CI/CD configured as of last session)
- **URL:** https://azcomputerguru.com
### Local Development
- **Build tool:** Astro (`npm run build`)
- **Build output:** `dist/`
- **Preview server:** `npx astro preview --port 4325``http://localhost:4325/`
- **Build location:** `D:/claudetools/clients/azcomputerguru.com/`
- **Config file:** `clients/azcomputerguru.com/astro.config.mjs`
- `site: 'https://azcomputerguru.com'`
- `compressHTML: true`
## Network
*(not documented)* — Static hosted site; no proprietary network infrastructure.
## Cloud / M365
*(not documented)* — Website project only; M365/cloud tenant info belongs in [[internal-infrastructure]].
## GuruRMM
*(not documented)* — No GuruRMM agents are associated with website hosting.
## Active Projects / Open Items
### Prototype Redesign (Astro)
Main deliverable file: `clients/azcomputerguru.com/src/pages/index.astro`
Current design score: **33/40** (up from 21/40 on original live site)
Score progression:
- `2026-05-22T15-08-23Z` — original live site critique: 21/40
- `2026-05-22T15-53-21Z` — after initial craft + harden pass: 31/40
- `2026-05-22T17-03-45Z` — after all P1+P2 fixes: 33/40
Critique snapshots stored in `.impeccable/critique/`.
### Open P2 Items (from last session)
- **Form error states:** CTA form uses browser-native `required` validation only. No styled error feedback. Fix: ~15 lines of inline `<script>` + one CSS error token.
- **Pricing signal:** No pricing context on page. A single line near the catalog or CTA subtext would address persona red flag without committing to numbers.
### Future / Pre-Launch
- **Form backend:** `action="/contact" method="GET"` is a prototype placeholder. IX Web Hosting supports PHP; options: simple `contact.php` or Formspree.
- **Replace placeholder testimonials:** Current testimonials use constructed names (Sarah M., James K., Linda R.) and fabricated quotes. Must be replaced with actual client quotes before launch.
- **`aria-current="page"`:** Not set on homepage nav item.
- **Dynamic copyright year:** Footer `© 2026` is hardcoded. Replace with JS expression or Astro template variable.
- **Production deployment:** Site has not been deployed to IX Web Hosting this session.
## Key Events / History
### 2026-05-22 — Homepage Redesign Session (Impeccable Craft Pass)
- Resumed from a prior context-compacted session that had completed initial craft + harden pass (31/40).
- Scope: all P1 + P2 items from most recent critique.
- Changes made to `index.astro`:
- Added `.sr-only` utility class to CSS reset block.
- Added full testimonials section (HTML + CSS): `.testimonial-grid`, `.testimonial-item`, `.testimonial-quote`, `.testimonial-attribution`. Cards use `border-top: 3px solid var(--color-accent)` (not side-stripe — banned).
- Redesigned CTA band from centered single-column to two-column grid (`1fr 1.1fr`): left = `.cta-text` (heading, subtext, phone link); right = `.cta-form-wrap` with 3-field form (name required, phone/email required, textarea).
- Restructured service catalog from flat 12-item `<ul>` to 3 labeled groups (`<div class="catalog-group">`): Management (5 items), Security (4 items), Support (3 items). Grid changed from `auto-fit minmax(320px, 1fr)` to `repeat(3, 1fr)`.
- Removed orphaned CSS rules `.cta-actions`, `.cta-or` after CTA band rewrite.
- Final score: 33/40.
## Design System Notes
- **Fonts:** Barlow Condensed (display, `--font-display`) + Lexend (body, `--font-body`) — Google Fonts via `<head>`
- **Color system:** OKLCH throughout; brand orange `oklch(0.70 0.18 55)`; all tokens in `:root`
- **Spacing scale:** `--sp-1` through `--sp-24` (0.25rem steps)
- **CTA form panel background:** `oklch(0.22 0.06 30)` — very dark brownish-red, chroma shifted toward brand hue
- **Input fields:** `oklch(0.17 0.04 30)`
- **Submit button:** white background + brand-color text (inverts off orange band)
## Anti-Patterns / Warnings
- [WARNING] **Do not deploy the prototype as-is.** Testimonials use placeholder names and fabricated quotes. Replace before any production push.
- [WARNING] **The CTA form has no backend handler.** `action="/contact" method="GET"` will 404 on the live site. Do not launch without a form processor.
- **Side-stripe card borders are banned** in this design system. Use `border-top` accent treatment instead.
- **Do not use a flat `<ul>` for the service catalog.** The grouped `catalog-groups` structure is intentional and was a scored improvement.
- **Do not confuse this article with [[internal-infrastructure]].** The azcomputerguru.com site lives on IX Web Hosting, not Neptune or any ACG-managed server.
## Backlinks
- [[internal-infrastructure]] — ACG's internal servers, Neptune Exchange, Gitea, Jupiter (separate from this article)
- [[gururmm]] — GuruRMM project (referenced in service catalog as a service offering)

128
wiki/clients/bg-builders.md Normal file
View File

@@ -0,0 +1,128 @@
---
type: client
name: bg-builders
display_name: BG Builders LLC
last_compiled: 2026-05-24
compiled_by: DESKTOP-0O8A1RL/claude-main
sources:
- clients/bg-builders/session-logs/2026-03-09-session.md
---
# BG Builders LLC
## Overview
- **Business type:** Construction / building contractor [unverified beyond name]
- **M365 tenant:** bgbuildersllc.com
- **Billing model:** Unknown — no billing data in session log
- **Contract status:** Unknown
- **CIPP Name:** sonorangreenllc.com (alternate tenant name in CIPP)
## Contacts
| Name | UPN | Access | Notes |
|---|---|---|---|
| Barry | barry@bgbuildersllc.com | FullAccess + SendAs on Lesley's mailbox | Set from original termination |
| Shelly | Shelly@bgbuildersllc.com | FullAccess + SendAs on Lesley's mailbox | Set from re-enable script 2026-02-27 |
| Lesley Roth | lesley@bgbuildersllc.com | Disabled | Terminated employee; account preserved per client request |
## Infrastructure
*(not documented — session was M365 account disable/wipe focused; no on-premises infrastructure captured)*
## Network
*(not documented)*
## Cloud / M365
| Property | Value |
|---|---|
| Tenant domain | bgbuildersllc.com |
| Tenant ID | ededa4fb-f6eb-4398-851d-5eb3e11fab27 |
| CIPP Name | sonorangreenllc.com |
| Admin UPN | sysadmin@bgbuildersllc.com |
| Admin credentials | Vault only — do NOT hardcode |
| Intune / Business Premium | No — no Intune-managed devices |
| Lesley account state | Disabled (AccountEnabled: False), Litigation Hold: True, licenses still assigned |
> [WARNING] Session log contained plaintext M365 admin credentials (sysadmin@bgbuildersllc.com). Use vault only: `vault.sh get-field clients/bg-builders/m365`.
### Lesley Roth — account state as of 2026-03-09
| Property | Value |
|---|---|
| AccountEnabled | False (was already False from 2026-02-27 prior termination) |
| Mailbox type | UserMailbox |
| Litigation Hold | True |
| Licenses | Still assigned (per client request — not removed) |
| Barry access | FullAccess + SendAs |
| Shelly access | FullAccess + SendAs |
| iPhone 16 Pro (iOS 26.3.1) | AccountOnlyDeviceWipePending (active device, last sync 2026-03-09) |
| iPhone 14 Pro (iOS 18.5) | AccountOnlyDeviceWipePending (stale — last sync 2025-06-27, may never acknowledge) |
| OneDrive | Not addressed |
### 72-hour mail activity report (Lesley, 2026-03-06 to 2026-03-09)
- No suspicious activity found — no suspicious sent/deleted mail, no inbox rules, no forwarding configured.
- Report saved to: `D:\ClaudeTools\scripts\bgb-lesley-mail-report-20260309.txt`
### M365 PowerShell technical notes
- `Get-MessageTrace` deprecated Sep 2025 — use `Get-MessageTraceV2` (no `-PageSize` parameter).
- `Search-MailboxAuditLog` deprecated Jan 2026 — use `Search-UnifiedAuditLog`.
- Exchange Online `-Device` auth switch requires PowerShell 7 (`pwsh`), NOT Windows PowerShell 5.1.
- WAM broker auth requires a visible PowerShell window — cannot run from bash or non-interactive shell.
### Scripts created (2026-03-09)
| Script | Purpose |
|---|---|
| `scripts/bgb-lesley-disable-wipe.ps1` | Disable account + device email wipe |
| `scripts/bgb-lesley-mail-report.ps1` | 72-hour mail activity report |
| `scripts/bgb-lesley-verify-wipe.ps1` | Verify device wipe status |
## GuruRMM
*(not documented)*
## Active Projects / Open Items
| Priority | Item | Owner |
|---|---|---|
| P1 | iPhone 16 Pro (active) — wipe should have completed; verify status | Howard / Mike |
| P1 | iPhone 14 Pro (stale since 2025-06-27) — wipe likely never acknowledged; verify or close | Howard / Mike |
| P2 | Lesley's OneDrive access not addressed in this session | Mike |
| P3 | sysadmin password reset — admin lacked privilege to reset Lesley's password via script (403); was done manually via M365 Admin Center. Verify sysadmin role assignments are sufficient for future terminations | Mike |
## Key Events / History
### 2026-02-27 — First termination (prior session, minimal detail)
- Lesley's account was previously disabled and sessions revoked.
- Litigation hold was enabled.
- Barry given FullAccess + SendAs.
### 2026-03-09 — Employee disable and device wipe
Lesley Roth (lesley@bgbuildersllc.com) terminated employee offboarding:
- Account already disabled (AccountEnabled was already False from 2026-02-27).
- Sessions re-revoked (belt-and-suspenders).
- Password manually reset via M365 Admin Center to `bgb-pass-reset-2026!!` (script failed 403 — sysadmin lacked privilege). Store in vault; rotate if account still exists.
- AccountOnly device wipe initiated on both iPhones (removes M365 email only; personal data preserved).
- Shelly given FullAccess + SendAs (added this session via re-enable script logic).
- 72-hour mail activity report: nothing suspicious.
- Account NOT converted to shared mailbox; licenses NOT removed — per client request.
## Anti-Patterns / Warnings
- [WARNING] Plaintext M365 admin credentials in session log — use vault only.
- [WARNING] sysadmin account has insufficient privileges to programmatically reset user passwords (403 on password reset). Plan for Global Admin or verify role assignments before future offboardings.
- BG Builders has NO Intune / Business Premium — device management is via EAS ActiveSync only. AccountOnly wipes (not full Intune wipes) are the only available device action.
- iPhone 14 Pro last synced 2025-06-27 — wipe will never complete if device stays offline. Do not wait on it.
- Do NOT delete Lesley's account or remove licenses without explicit client instruction — client requested account preservation.
- CIPP name for this tenant is `sonorangreenllc.com` — use this when looking up the tenant in CIPP.
## Backlinks
- *(no related wiki articles yet)*

82
wiki/clients/evs.md Normal file
View File

@@ -0,0 +1,82 @@
---
type: client
name: evs
display_name: Equity Valuation Services
last_compiled: 2026-05-24
compiled_by: DESKTOP-0O8A1RL/claude-main
sources:
- clients/evs/session-logs/2026-04-17-session.md
---
# Equity Valuation Services (EVS)
## Overview
- **Business type:** Financial services — equity valuation [unverified beyond name]
- **Billing model:** Unknown — no billing data in source log
- **Contract status:** Unknown
- **Billing rate:** Unknown
- **Hours remaining:** Unknown
- This is the first documented entry for EVS. Minimal infrastructure detail captured.
## Contacts
| Name | Title | Notes |
|---|---|---|
| *(not documented)* | | Howard maintains the VM onsite |
## Infrastructure
| Asset | Role | OS | Notes |
|---|---|---|---|
| EVS VM | User workstation | Windows 11 | Howard's primary working machine at this site; running Win11 compact right-click menu |
- No IP addresses, hostnames, or hardware specs documented.
- Single VM confirmed; no detail on hypervisor or host hardware.
## Network
*(not documented)*
## Cloud / M365
*(not documented)*
## GuruRMM
*(not documented)*
## Active Projects / Open Items
- Howard to apply Win11 right-click registry fix on the VM (pending confirmation as of 2026-04-17).
- If Howard uses more than one user profile on the VM, the registry fix must be run for each profile separately (fix is HKCU-scoped).
## Key Events / History
### 2026-04-17 — Win11 right-click menu revert
Howard reported the Win11 VM shows the compact (Win11-style) right-click context menu and finds it confusing. Standard per-user registry fix provided:
```powershell
reg add "HKCU\Software\Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}\InprocServer32" /f /ve
Stop-Process -Name explorer -Force
```
- HKCU-scoped — affects only the user who runs it on that session.
- Persists across reboots. Stable on 22H2/23H2/24H2/25H2.
- No admin elevation required.
To revert to Win11 default:
```powershell
reg delete "HKCU\Software\Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}" /f
Stop-Process -Name explorer -Force
```
## Anti-Patterns / Warnings
- [WARNING] Almost no infrastructure is documented for this client. Do not assume anything about their environment beyond a single Win11 VM managed by Howard.
- Add infrastructure detail to this article whenever encountered — this is a thin record.
## Backlinks
- *(no related wiki articles yet)*

112
wiki/clients/furrier.md Normal file
View File

@@ -0,0 +1,112 @@
---
type: client
name: furrier
display_name: Furrier (Mike Furrier / Western Tire / Desert Rat)
last_compiled: 2026-05-24
compiled_by: DESKTOP-0O8A1RL/claude-main
sources:
- clients/furrier/session-logs/2026-04-21-session.md
---
# Furrier / Mike Furrier
## Overview
- **Business type:** Mike Furrier is the owner/contact behind multiple entities: Western Tire and Desert Rat (desertrat.com). These are managed under a single Syncro customer record.
- **Syncro Customer ID:** 391491
- **Billing model:** Time and materials [unverified — one invoice observed]
- **Billing rate:** $150/hr [unverified — $75.00 billed for 30 min remote]
- **Contract status:** Unknown
> Note: Mike Furrier is also the customer contact for Western Tire (see [[wiki/clients/western-tire.md]]). These may be the same Syncro record. Confirm whether furrier and western-tire are the same Syncro customer.
## Contacts
| Name | Title | Email | Notes |
|---|---|---|---|
| Mike Furrier | Owner | *(not documented)* | Primary contact for desertrat.com and Western Tire |
| Tim Furrier | Employee/forwarder user | tim@desertrat.com | Forwarder → timfurrier@gmail.com; was sending from Gmail causing DMARC failures |
## Infrastructure
### Websvr (ACG-hosted cPanel)
| Property | Value |
|---|---|
| Hostname | websvr.acghosting.com |
| External IP (primary) | 162.248.93.233 |
| External IP (secondary) | 162.248.93.81 |
| OS | CentOS 7 |
| WHM version | 11.110.0.95 |
| SSH port | 22 |
| SSH credentials | Vault: `infrastructure/websvr` (do NOT hardcode) |
| WHM API Token | Vault only — do not hardcode |
| cPanel account | desertra |
| Domain | desertrat.com |
> [WARNING] Session log contained plaintext SSH credentials and WHM API token. These must not be committed or referenced outside the vault. Retrieve via `vault.sh get-field`.
### Mail architecture (desertrat.com)
- Mail hosted on websvr.acghosting.com (cPanel/exim).
- Inbound spam filter: Mailprotector (emailservice.io front-end).
- `tim@desertrat.com` is a **forwarder** (not a mailbox) → `timfurrier@gmail.com`. Located in `/etc/valiases/desertrat.com`.
- 38 mailboxes/forwarders total.
## Network
### DNS (desertrat.com)
- **DNS Host:** AWS Route 53
- **MX:** `10 desertrat-com.inbound.emailservice.io`, `20 .inbound.emailservice.cc`, `30 .inbound.emailservice.co`
- **SPF:** `v=spf1 +a +mx +ip4:162.248.93.233 +ip4:162.248.93.81 +include:spf.wdsolutions.com +include:spf.us.emailservice.io -all`
- **DKIM:** `default._domainkey.desertrat.com` — active, signed by Websvr
- **DMARC:** `v=DMARC1; p=reject; sp=reject; adkim=r; aspf=r; pct=100` — full enforcement
## Cloud / M365
*(not documented)*
## GuruRMM
*(not documented)*
## Active Projects / Open Items
| Priority | Item | Owner |
|---|---|---|
| P1 | Tim configures Gmail "Send mail as" using Websvr SMTP (mail.desertrat.com:587 or :465) to stop DMARC rejections | Mike Furrier / Tim |
| P2 | Mailprotector user import CSV delivered — Mike Furrier to import into Mailprotector admin manually | Mike Furrier |
| P3 | Confirm with WebShop whether their DKIM record add request is still needed (Websvr DKIM already active) | Mike Swanson |
## Key Events / History
### 2026-04-21 — desertrat.com DMARC/SBR email fix
**Syncro ticket #32181** (ID: 109263692). Invoice #67437 — $75.00 + tax = $81.53. Status: Invoiced.
**Root cause:** Two compounding issues:
1. `tim@desertrat.com` is a forwarder to Gmail. Tim replies from Gmail using `tim@desertrat.com` as From. Gmail's servers are not in desertrat.com SPF → DMARC p=reject rejects on inbound.
2. Mailprotector SBR was unconfigured — `/etc/mailprotector_domains` on Websvr was empty; desertrat.com was never enrolled, so outbound forwarded mail bypassed Mailprotector relay.
**Fix applied:** Added `desertrat.com` to `/etc/mailprotector_domains` on websvr. No exim restart required (runtime lsearch lookup). Outbound now routes through `desertrat-com.outbound.emailservice.io`.
**Permanent fix still pending:** Tim must configure Gmail "Send mail as" with Websvr SMTP credentials to send mail that passes DMARC.
### Mailprotector user import CSV
Created `C:\Users\guru\Downloads\desertrat_mailprotector_import.csv` — 38 entries. Key aliases:
- desertrat60 → store60
- desertrat64 → store64
- jobs → tim
## Anti-Patterns / Warnings
- [WARNING] Tim's DMARC rejections will recur any time he replies from Gmail as tim@desertrat.com until "Send mail as" is properly configured. Do not attempt a DNS-level workaround — the correct fix is client-side SMTP configuration.
- [WARNING] DMARC is `p=reject` at 100% — any SPF/DKIM misalignment will hard-fail with no fallback. Be careful with any DNS or mail-routing changes.
- Do NOT look for tim@desertrat.com in cPanel email accounts — it is a forwarder in `/etc/valiases/desertrat.com`, not a mailbox.
- Mailprotector has no automated sync for non-AD/365/Google environments — user import is manual CSV only.
## Backlinks
- [[wiki/clients/western-tire.md]] — Western Tire is another entity under Mike Furrier (same Syncro customer ID 391491)

99
wiki/clients/horseshoe-management.md Normal file
View File

@@ -0,0 +1,99 @@
---
type: client
name: horseshoe-management
display_name: Horseshoe Management
last_compiled: 2026-05-24
compiled_by: DESKTOP-0O8A1RL/claude-main
sources:
- clients/horseshoe-management/session-logs/2026-05-06-howard-ups-bypass-relay-fault-onsite.md
---
# Horseshoe Management
## Overview
- **Business type:** Property/business management [unverified beyond name]
- **Syncro Customer ID:** 625269 (Bill Young)
- **Billing model:** Prepaid block hours
- **Billing rate:** $175/hr (onsite business); emergency multiplier 1.5x applied to qty, not rate
- **Hours remaining:** 31.75 hrs (as of 2026-05-06, after 1.5 hr emergency debit)
- **Address:** 2325 E Grant Rd, Tucson
## Contacts
| Name | Role | Notes |
|---|---|---|
| Bill Young | Primary contact / owner [unverified] | Syncro customer name; was on-site during 2026-05-06 visit |
| Donna | Employee [unverified] | Credentials in Syncro notes (see Warning) |
| Randy | Employee [unverified] | Credentials in Syncro notes (see Warning) |
| Frank | Employee [unverified] | Credentials in Syncro notes (see Warning) |
| Sam | Employee [unverified] | Credentials in Syncro notes (see Warning) |
## Infrastructure
### UPS
- **Model:** APC Smart-UPS 1350
- **Status as of 2026-05-06:** Operational after power-cycle. Prior error: P.17 / Event 17 (Bypass Relay Weld fault).
- **History:** Site has gone through multiple batteries and at least two complete UPS units with battery-related errors — pattern suggests underlying electrical/wiring issue.
### Servers / Workstations
*(not documented — session was UPS-focused; no server/workstation inventory captured)*
## Network
*(not documented)*
## Cloud / M365
- **M365 tenant present** — admin account: `Bill@horseshoemgt.com`
- **[WARNING] M365 admin password was stored in plaintext in Syncro customer notes** — see Anti-Patterns section.
- Tenant ID and domain not confirmed beyond `horseshoemgt.com` [unverified domain spelling].
## GuruRMM
*(not documented)*
## Active Projects / Open Items
| Priority | Item | Owner |
|---|---|---|
| P1 | Follow up with Bill to confirm whether they engaged a licensed electrician to check the branch circuit/outlet feeding the UPS equipment | Howard / Mike |
| P1 | Migrate all plaintext credentials from Syncro customer notes to SOPS vault under `clients/horseshoe-management/` and strip from Syncro | Mike |
## Key Events / History
### 2026-05-06 — APC Smart-UPS P.17 bypass relay fault (emergency onsite)
**Syncro ticket #32256** — "Emergency onsite - Server making strange noise" (misleading subject — actual issue was UPS).
**Technician:** Howard Enos.
**Error:** APC Smart-UPS 1350 displaying P.17 / Event 17 (Bypass Relay Weld fault) — internal transfer relay stuck, unit unable to switch between line and battery power.
**Resolution:** Full power-cycle procedure:
1. Disconnected all loads.
2. Unplugged UPS from wall.
3. Removed batteries.
4. Held power button 10 seconds to discharge residual capacitance.
5. Reinstalled batteries, plugged in, reconnected loads, powered up.
6. Error code cleared. UPS operating normally post-cycle.
**Billing:** Emergency onsite on prepay block.
- Product: 26118 (Labor - Onsite Business, $175/hr)
- Qty: 1.5 hrs (1.0 actual × 1.5 emergency multiplier applied to qty, NOT rate)
- Line total: $262.50
- Invoice #67568 — $0.00 (fully covered by prepay block)
- Prepay: 33.25 hrs → 31.75 hrs
**Recommendation given to customer:** Engage a licensed electrician to inspect the branch circuit and outlet before purchasing additional batteries or replacement UPS units. History of repeat failures (multiple batteries, two complete UPS units) does not match normal wear — points to voltage irregularities, poor grounding, or a shared circuit with a high-draw load.
## Anti-Patterns / Warnings
- [WARNING] CRITICAL SECURITY EXPOSURE: Plaintext passwords for Donna, Bill, Randy, Frank, Sam, "Bill Server", and the M365 admin account (`Bill@horseshoemgt.com`) were found in the Syncro customer notes free-text field as of 2026-05-06. These must be migrated to the SOPS vault (`clients/horseshoe-management/`) and stripped from Syncro before any future work exposes them further.
- [WARNING] Do NOT use Emergency product (26184) for emergency billing on prepay customers — use standard Onsite Business (26118) with qty multiplied by 1.5. Stacking both products double-counts the time-and-a-half.
- Do not dismiss repeat UPS/battery failures as normal wear. Pattern at this site strongly suggests an electrical infrastructure problem.
## Backlinks
- *(no related wiki articles yet)*

174
wiki/clients/khalsa.md Normal file
View File

@@ -0,0 +1,174 @@
---
type: client
name: khalsa
display_name: Khalsa
last_compiled: 2026-05-24
compiled_by: DESKTOP-0O8A1RL/claude-main
sources:
- clients/khalsa/docs/overview.md
- clients/khalsa/docs/cloud/m365.md
- clients/khalsa/docs/cloud/azure.md
- clients/khalsa/docs/rmm/rmm.md
- clients/khalsa/docs/security/antivirus.md
- clients/khalsa/docs/security/backup.md
- clients/khalsa/docs/issues/log.md
- clients/khalsa/docs/apple-domain-join.md
- clients/khalsa/docs/network/README.md
- clients/khalsa/docs/network/camden/topology.md
- clients/khalsa/docs/network/camden/firewall.md
- clients/khalsa/docs/network/camden/dns.md
- clients/khalsa/docs/network/camden/dhcp.md
- clients/khalsa/docs/network/camden/vlans.md
- clients/khalsa/docs/network/river/topology.md
- clients/khalsa/docs/network/river/firewall.md
- clients/khalsa/docs/network/river/dns.md
- clients/khalsa/docs/network/river/dhcp.md
- clients/khalsa/docs/network/river/vlans.md
- clients/khalsa/PROJECT_STATE.md
---
# Khalsa
## Overview
New client in ONBOARDING status as of 2026-04-16. Standard client directory structure applied by Howard. Multi-site environment with two locations: **Camden** and **River**. Onboarding is incomplete — infrastructure details, contacts, and credentials have not yet been captured to the vault.
- **Business type:** *(not documented)*
- **Locations:** 2 (Camden, River)
- **Total users:** *(not documented)*
- **Billing model:** *(not documented)*
- **Billing rate:** *(not documented)*
- **Contract status:** ONBOARDING — terms not yet documented
- **Hours remaining:** *(not documented)*
[WARNING] All template fields in overview.md, m365.md, azure.md, rmm.md, antivirus.md, and backup.md are blank. The only substantive technical content in the entire client directory is `docs/apple-domain-join.md`. Onboarding must be completed before this client can be effectively supported.
---
## Contacts
All contact fields in overview.md are blank. No primary contact, IT contact, names, phones, or emails documented.
- **Primary Contact:** *(not documented)*
- **IT Contact:** *(not documented)*
- **Location (Camden):** *(not documented)*
- **Location (River):** *(not documented)*
---
## Infrastructure
No server or workstation inventory has been captured. The following is known only from `docs/apple-domain-join.md`:
### Known Servers
| Hostname | IP | Role | OS | Notes |
|----------|----|------|----|-------|
| TROUT | 10.11.12.254 | Domain Controller, Primary DNS | *(not documented)* | khalsa.local domain; DNS forwarder at 10.11.12.1 |
| *(unknown)* | 10.11.12.243 | DNS server | *(not documented)* | [WARNING] This is a DNS server but NOT the DC — do not confuse the two |
### Workstations
*(not documented)*
### Active Directory
- **Domain:** `khalsa.local`
- **Domain admin account:** `guru`
- **DC hostname:** TROUT at 10.11.12.254
- **DNS primary:** 10.11.12.254 (DC/TROUT)
- **DNS secondary:** 10.11.12.1
- Kerberos (port 88), LDAP (port 389), SMB (port 445) required to reach DC
---
## Network
Two sites: Camden and River. All network template files (topology, firewall, DNS, DHCP, VLANs) are blank placeholders for both sites — no subnets, IPs, hardware, ISPs, or VPN details are recorded.
### Camden
- **Topology:** *(not documented — template only)*
- **Firewall:** *(not documented — template only)*
- **DNS:** *(not documented — template only)*
- **DHCP:** *(not documented — template only)*
- **VLANs:** Template defines VLAN IDs 1, 10, 20, 30, 40, 50, 60, 100 (standard schema: Management, Servers, Workstations, VoIP, WiFi-Corp, WiFi-Guest, Security) — but no subnets or IPs filled in.
### River
- **Topology:** *(not documented — template only)*
- **Firewall:** *(not documented — template only)*
- **DNS:** *(not documented — template only)*
- **DHCP:** *(not documented — template only)*
- **VLANs:** Same VLAN ID schema as Camden — no subnets or IPs filled in.
### Site-to-Site Connectivity
*(not documented)* — firewall.md VPN sections are blank for both sites.
### Confirmed Network Info (from apple-domain-join.md)
- DC/DNS: TROUT at 10.11.12.254 (implies /24 range starting with 10.11.12.x)
- Secondary DNS: 10.11.12.1 [unverified — likely a firewall or router]
- 10.11.12.243 is a DNS server (role unknown, not the DC)
- Site assignment of these IPs (Camden vs River) is unknown
---
## Cloud / M365
All M365 and Azure template fields are blank. No tenant name, tenant ID, domain, licenses, Exchange settings, SharePoint, Teams, Entra, or Defender details are documented.
- **M365 tenant:** *(not documented)*
- **Azure subscription:** *(not documented)*
- **Other cloud services:** *(not documented)*
---
## GuruRMM
All RMM template fields are blank.
- **Client ID:** *(not documented)*
- **Site IDs:** *(not documented)*
- **Enrolled agents:** *(not documented)*
- **Monitoring policies:** Template placeholders only (Disk Space, CPU, Service Monitor, Backup Monitor, Offline Alert — no client-specific values)
- **Patch policy:** *(not documented)*
---
## Active Projects / Open Items
- [ ] Complete onboarding — capture infrastructure details, contacts, credentials to vault
- [ ] Populate all `docs/` templates with real data (network, servers, M365, backup, AV, RMM)
- [ ] Document both Camden and River site specifics (topology, firewall rules, VLANs, IPs)
- [ ] Capture contacts to overview.md
- [ ] Store credentials in SOPS vault under `clients/khalsa/`
---
## Key Events / History
| Date | Event |
|------|-------|
| 2026-04-16 | Client directory created by Howard. Standard template applied. ONBOARDING status set. |
No issue log entries. No session logs exist for this client.
---
## Anti-Patterns / Warnings
- [WARNING] 10.11.12.243 is a DNS server but NOT the domain controller. Do not treat it as the DC. The DC is TROUT at 10.11.12.254.
- [WARNING] Onboarding is incomplete. Do not assume any template placeholder values are real — all fields other than the apple-domain-join.md content are empty.
- [WARNING] Do NOT run `dsconfigad` commands via ScreenConnect — the domain join step requires a password prompt that ScreenConnect cannot handle. Must use direct Terminal access.
- When joining a Mac that was previously joined and has a broken trust: force-remove first (`dsconfigad -remove -username guru -force`), then re-join. Skipping this causes error 2100.
- After applying `DefaultDomain` setting for login window, a reboot is required for the domain prefix to drop from login.
- No credentials are in this wiki. Retrieve from vault under `clients/khalsa/` once captured.
---
## Backlinks
- [[wiki/index]] — client index
- [[wiki/patterns/apple-domain-join]] — if a general Apple domain join pattern article exists or is created

118
wiki/clients/kittle-design.md Normal file
View File

@@ -0,0 +1,118 @@
---
type: client
name: kittle-design
display_name: Kittle Design & Construction
last_compiled: 2026-05-24
compiled_by: DESKTOP-0O8A1RL/claude-main
sources:
- clients/kittle-design/session-logs/2026-04-24-session.md
---
# Kittle Design & Construction
## Overview
- **Business type:** Design & construction firm
- **M365 tenant:** kittlearizona.com
- **Billing model:** Time and materials [unverified — one ticket observed]
- **Billing rate:** Unknown (Labor - Remote Business, product_id 1190473)
- **Contract status:** Unknown
- **Syncro ticket:** #32207
## Contacts
| Name | UPN | Notes |
|---|---|---|
| Alexis | alexis@kittlearizona.com | Confirmed compromise — hidden inbox rule, duplicate Authenticator, password reset issued |
| Ken | Ken@kittlearizona.com | Suspicious inbox rule "Admin" (Capital One/Bill.com) — status unconfirmed as of session end |
| Lori | Lori@kittlearizona.com | Two Authenticator entries (different Samsung models — likely phone upgrade) |
| Scott | scott@kittlearizona.com | Phone-only MFA, no Authenticator enrolled |
## Infrastructure
- **On-premises servers/workstations:** Not documented.
- **Entra P1/P2:** NOT licensed — sign-in logs and Identity Protection unavailable.
- Token cache location (local): `/tmp/remediation-tool/3d073ebe-806a-4a5e-9035-3c7c4a264fc0/`
## Network
*(not documented)*
## Cloud / M365
| Property | Value |
|---|---|
| Tenant domain | kittlearizona.com |
| Tenant ID | 3d073ebe-806a-4a5e-9035-3c7c4a264fc0 |
| Entra P1/P2 | No — sign-in logs unavailable |
| Exchange Admin role | Assigned to Security Investigator SP (manually) |
### Service Principals (Remediation Tool)
| App | SP Object ID | Role |
|---|---|---|
| Security Investigator | 26e16c7a-0ac8-4f85-bdd7-992611bbd271 | Exchange Administrator |
| Exchange Operator | 775ec856-f032-4dcf-a499-ccf7f9bce07b | Exchange Administrator |
| User Manager | ea0277ab-497c-45f7-b88a-e2d53f54a4c7 | User Administrator + Authentication Administrator |
| Tenant Admin | 0caa0dde-3f8d-4d46-ab26-aa0d38add0b5 | *(role not documented)* |
> [WARNING] Alexis's temp password `KittleGwiNUK#2026` was in the session log. This is a force-change-on-login temp password issued 2026-04-23 — it should already be changed. Do not use. Store any active credentials in vault only.
### Alexis — Compromise Details
- **Hidden inbox rule "."** — was routing Howmet-related emails to Conversation History folder. Deleted.
- **Emails recovered** (moved back to inbox, HTTP 201):
- "RE: Kittle Visit to review open projects and Billing discrepancies" — Erick.Martinez1@howmet.com (2025-03-04)
- "RE: HOWMET FASTENING SYSTEMS, PURCHASE ORDER: 221422333" — Miguel.Angulo@howmet.com (2025-03-04)
- "FW: Please ignore. | Petra" — Buy.PayHowmet@howmet.com (2025-02-28)
- **Duplicate Authenticator entries** — two entries, same device name "iPhone 12 Pro Max" but different app versions. Suspicious entry ID: `c927402a-75c6-4a55-840a-86d1eea43a9b` (app version 6.8.40). Pending removal after confirmation from Alexis.
- **Sessions revoked** — revokeSignInSessions returned true.
- **Password reset** — temp password issued, force-change enforced.
- **User object ID:** `74a1eae1-c0dd-4544-a98f-3a18f809785a`
- **Exchange identity:** `alexis\2866869517449953281`
### OAuth Consents Revoked
**c5df10ae-2aa7-4283-86ef-1884c267a9ac** (AllPrincipals — 7 grants deleted):
- Had Directory.ReadWrite.All, RoleManagement, Mail.Send, 50+ scopes — extremely broad.
**9b504397-914d-4af2-b6d9-9081e80da54e** (IMAP legacy auth — 1 grant deleted):
- IMAP.AccessAsUser.All, openid, offline_access — consented by unknown user.
## GuruRMM
*(not documented)*
## Active Projects / Open Items
| Priority | Action | Owner |
|---|---|---|
| P1 | Ask Alexis: count Authenticator entries on phone. If only one, remove suspicious entry `c927402a` | Mike |
| P1 | Ask Ken: does he recognize the "Admin" inbox rule (Capital One, Bill.com, @flystucson.com)? If no → escalate (password reset, session revocation, rule deletion, check Bill.com/Capital One transactions) | Mike |
| P2 | Verify Alexis received temp password `KittleGwiNUK#2026` and has changed it | Mike |
| P3 | Remove Lori's old Authenticator (SM-G975U Samsung S10+) after confirming current phone | Mike |
| P3 | Enroll Scott in Microsoft Authenticator (currently phone-only MFA) | Mike |
| P3 | Invoice ticket #32207 (1.0 hr Labor - Remote Business, product_id 1190473) | Mike |
## Key Events / History
### 2026-04-23/24 — Full M365 breach check and remediation
Full report: `clients/kittle-design/reports/2026-04-23-breach-check.md`
- Onboarded Exchange Operator and Tenant Admin apps (consent + role assignment).
- Exchange Administrator role was NOT assigned to Security Investigator at time of initial breach check — assigned manually during remediation. SMTP forwarding check was therefore incomplete during the breach check phase.
- Two high-severity findings: Alexis's hidden inbox rule and duplicate Authenticator.
- One unresolved finding: Ken's "Admin" rule — awaiting his response.
- Seven OAuth grants deleted from the AllPrincipals consent (c5df10ae) — very broad scopes including Directory.ReadWrite.All.
## Anti-Patterns / Warnings
- [WARNING] Ken's inbox rule "Admin" (filtering Capital One, Bill.com, @flystucson.com) is unresolved. If Ken cannot explain it, treat as active compromise: password reset, session revocation, rule deletion, check financial accounts immediately.
- [WARNING] SMTP forwarding check was NOT completed — Exchange Admin role was missing on Security Investigator during initial sweep. Re-run SMTP forwarding check on all mailboxes.
- [WARNING] Kittle has NO Entra P1/P2 — sign-in log queries and Identity Protection risky user signals are unavailable. Rely on Exchange audit logs and consent audits only.
- Do not use the AllPrincipals consent app ID c5df10ae for anything — it was a malicious/overbroad app and all its grants have been revoked.
## Backlinks
- *(no related wiki articles yet)*

348
wiki/clients/kittle.md Normal file
View File

@@ -0,0 +1,348 @@
---
type: client
name: kittle
display_name: Kittle (client)
last_compiled: 2026-05-24
compiled_by: DESKTOP-0O8A1RL/claude-main
sources:
- clients/kittle/docs/overview.md
- clients/kittle/docs/servers/server.md
- clients/kittle/docs/network/topology.md
- clients/kittle/docs/network/firewall.md
- clients/kittle/docs/network/dns.md
- clients/kittle/docs/network/dhcp.md
- clients/kittle/docs/network/vlans.md
- clients/kittle/docs/cloud/m365.md
- clients/kittle/docs/cloud/azure.md
- clients/kittle/docs/rmm/rmm.md
- clients/kittle/docs/security/antivirus.md
- clients/kittle/docs/security/backup.md
- clients/kittle/docs/issues/log.md
- clients/kittle/docs/email/dkim-dmarc-setup.md
- clients/kittle/PROJECT_STATE.md
- clients/kittle/session-logs/2026-05-08-howard-joshua-onsite-and-gururmm-onboarding.md
---
# Kittle Design & Construction LLC
## Overview
- **Business type:** General contractor (construction)
- **Address:** 2539 N Balboa Ave #125, Tucson, AZ 85705
- **Phone:** 520.299.0404 | **Fax:** 520.299.0477
- **Website:** kittlearizona.com
- **Syncro customer ID:** 32460233
- **Status:** Active — onboarding in progress (as of 2026-05-08)
- **Billing model:** [unverified] — no contract or rate documented in source files
- **Hours remaining:** [unverified] — not documented
---
## Contacts
| Name | Title | Email | Notes |
|------|-------|-------|-------|
| Ken Schagel | Owner / Primary Contact | ken@kittlearizona.com | |
| Kimberly Ross | Admin | admin@kittlearizona.com | Primary M365 contact per session log |
| Darline Cabrera | Bookkeeper | accounting@kittlearizona.com | Role account: `accountant` on AD |
| Joshua Sutherland | Employee (new 2026-05-08) | joshua@kittlearizona.com | Took over Wrex's workstation |
| Howard Enos | MSP Tech (ACG) | — | AD account: `sysadmin` (Domain Admin) |
**Known M365 users (licensed):**
- Office 365 E3 (no Teams): Alexis Schagel, Kalvin Hairston, Ken Schagel, Wrex Watson
- Business Standard: Accounting, Admin (Kimberly Ross), Brandon Blazer, Hayden Schagel, Jason Stubblefield, Johnny Calhoun, Joshua Sutherland, Lori Schagel, Marco Fragoso, Michael Sanchez, Neal Crusius, Scott Zehner
---
## Infrastructure
### Servers
| Hostname | IP | OS | Role | Hardware | Notes |
|----------|----|----|------|----------|-------|
| SERVER | 10.0.0.5 | Windows Server 2025 Standard **EVALUATION** | Primary DC, DNS, DHCP (unused), File Server, Print Server | HPE ProLiant MicroServer Gen11, Intel Xeon E-2414 (4 cores), 80 GB RAM | [WARNING] EVALUATION license — expires 180 days from install. Shuts down hourly after expiry. Syncro asset: `SERVER2021` (id `10584015`) |
**SERVER storage:**
| Drive | Label | Size | Notes |
|-------|-------|------|-------|
| C: | OS | ~11 TB | Primary volume (NTFS) |
| Secondary | Server2 2022_03_31 | ~2 TB | Purpose unknown — possibly old server backup/migration data |
**[WARNING]** Unknown service listening on TCP port 8019 on SERVER. Not a standard Windows/AD port. Likely QuickBooks or ScreenConnect — needs identification (`netstat -ano | findstr 8019`).
### Workstations
| AD Name | OS | Last Logon | Notes |
|---------|----|------------|-------|
| FRONTDESK | Windows 11 Pro | 2026-03-09 | Front Desk user; Syncro asset id `11122225` |
| ACCOUNTING | Windows 11 Pro for Workstations | 2026-03-09 | `accountant` role account |
| CHRISTINE-WIN10 | Windows 11 Pro | 2026-03-09 | Legacy name; actually Win11 |
| DESKTOP-2560Q7R | Windows 11 Pro | 2026-03-06 | Wrex — now used by Joshua Sutherland; needs rename |
| WINDOWS-QV1B0EL | Windows 11 Pro | 2026-03-06 | User unknown; needs rename |
| DESKTOP-R0KA2UG | Windows 11 Pro | 2026-03-11 | User unknown; needs rename |
| DESKTOP-9B2SMD9 | Windows 11 Pro | 2026-03-06 | User unknown; needs rename |
**Known machine-to-user mapping:** FRONTDESK = Front Desk, ACCOUNTING = accountant (Darline?), CHRISTINE-WIN10 = Christine, DESKTOP-2560Q7R = Wrex/Joshua. Three workstations (WINDOWS-QV1B0EL, DESKTOP-R0KA2UG, DESKTOP-9B2SMD9) unidentified — require onsite correlation.
### Active Directory
- **Domain:** kittle.lan (NetBIOS: KITTLE)
- **Domain Admins:** Administrator, sysadmin (Computer Guru)
- **Total domain users:** 12 (8 regular + sysadmin + QBDataServiceUser34 + joshua.sutherland added 2026-05-08 + Administrator)
- **Total workstations:** 7
**AD Users:**
| SamAccountName | Display Name | Enabled | Notes |
|---------------|-------------|---------|-------|
| Administrator | Administrator | Yes | Domain Admin |
| alexis | Alexis | Yes | |
| Marco | Marco | Yes | |
| accountant | accountant | Yes | [WARNING] Role-based — should be individual account |
| ken | Ken | Yes | Owner |
| frontdesk | Front Desk | Yes | [WARNING] Role-based — should be individual account |
| lori | Lori | Yes | |
| wrex | Wrex | Yes | [WARNING] Wrex's PC now used by Joshua |
| sysadmin | Computer Guru | Yes | MSP Domain Admin |
| QBDataServiceUser34 | QuickBooks service | Yes | Service account |
| joshua.sutherland | Joshua Sutherland | Yes | Created 2026-05-08; UPN joshua.sutherland@kittle.lan, email joshua@kittlearizona.com |
### File Shares
| Share | Path | Notes |
|-------|------|-------|
| Home | C:\Shares\Home | User home folders; mapped via HomeFolder GPO |
| QBooks | C:\Shares\Home\QBooks | QuickBooks data files |
| NETLOGON | (default) | AD logon scripts |
| SYSVOL | (default) | Group Policy |
### Installed Software (SERVER)
| Software | Notes |
|----------|-------|
| QuickBooks Pro 2024 (v34) | [WARNING] Should NOT be on a DC — migrate to workstation |
| ScreenConnect | Remote access agent |
### Backup
[WARNING] NO BACKUP EXISTS. No Windows Server Backup, no third-party agent, no cloud backup. If SERVER fails, AD, DNS, file shares, and QuickBooks data are permanently lost. SERVER is the only domain controller.
### Antivirus / EDR
*(not documented)* — no AV/EDR product deployed or documented.
---
## Network
### Topology
- **Subnet:** Single flat 10.0.0.0/24 — no VLANs, no segmentation
- **Gateway:** 10.0.0.1 (ISP router — consumer-grade, acts as gateway + DHCP + only "firewall")
- **Switch:** UniFi USW-Lite-16-PoE at 10.0.0.122 (MAC: 0C:EA:14:8A:8D:7F); managed by ACG's self-hosted UniFi controller
- **~31 devices** observed on network via ARP — most unidentified (phones, printers, APs, workstations)
**Key device IPs:**
| Device | IP | Notes |
|--------|----|-------|
| ISP Router | 10.0.0.1 | Gateway, DHCP, only perimeter device |
| SERVER (DC) | 10.0.0.5 | Static |
| UniFi Switch | 10.0.0.122 | Should have DHCP reservation |
### Firewall
[WARNING] NO dedicated firewall. ISP router at 10.0.0.1 (MAC: 42:0f:c1:f0:e6:43 — randomized/consumer MAC) is the only perimeter device. No stateful inspection, IDS/IPS, content filtering, or granular rules. The firewall.md template is empty — no firewall config has been documented because none exists.
**Recommendation:** Deploy pfSense (free) or commercial UTM (FortiGate, SonicWall) between ISP router and LAN switch.
### VLANs
No VLANs configured. All devices on the same broadcast domain. The vlans.md template exists but is empty — no VLAN segmentation is deployed.
### DNS
**Internal DNS:** Windows DNS on SERVER (10.0.0.5), AD-integrated.
- Zones: kittle.lan, _msdcs.kittle.lan
- Forwarder: 10.0.0.1 (ISP router) — single forwarder, no redundancy
- No reverse lookup zone for 10.0.0.0/24 (PTR lookups fail)
**External DNS (kittlearizona.com):** Hybrid NSOne + Squarespace nameservers
| Nameservers |
|-------------|
| dns1.p02.nsone.net, dns2.p02.nsone.net, dns3.p02.nsone.net, dns4.p02.nsone.net |
| ns01.squarespacedns.com, ns02.squarespacedns.com, ns03.squarespacedns.com, ns04.squarespacedns.com |
**Email DNS records (as of 2026-04-23):**
| Record | Status | Value |
|--------|--------|-------|
| MX | [OK] | kittlearizona-com.mail.protection.outlook.com |
| SPF | [OK] | v=spf1 include:spf.protection.outlook.com -all |
| DKIM | [WARNING] MISSING | Not configured — HIGH PRIORITY |
| DMARC | [WARNING] MISSING | Not configured — HIGH PRIORITY |
**DKIM/DMARC setup guide:** `clients/kittle/docs/email/dkim-dmarc-setup.md`
DNS registrar: Unknown — needs identification.
### DHCP
[WARNING] DHCP runs on the ISP router (10.0.0.1), not on SERVER. The Windows DHCP role is installed on SERVER but has zero scopes configured. Unknown what DNS server is handed out via DHCP — if DHCP hands out ISP DNS instead of 10.0.0.5, AD name resolution may break for domain clients. DHCP range, lease time, and reservations not documented (need ISP router admin access to check).
---
## Cloud / M365
### Tenant
| Field | Value |
|-------|-------|
| Tenant name | kittlearizona.com |
| Tenant ID | 3d073ebe-806a-4a5e-9035-3c7c4a264fc0 |
| Primary domain | kittlearizona.com |
| Admin portal | https://admin.microsoft.com |
### Licensing (as of 2026-04-28)
| License | Qty | Assigned | Available |
|---------|-----|----------|-----------|
| Microsoft 365 Business Standard (SKU: O365_BUSINESS_PREMIUM, skuId: f245ecc8-75af-4f8e-b61f-27d8114de5f3) | 12 | 12 | 0 |
| Office 365 E3 No Teams (skuId: 46c3a859-c90d-40b3-9551-6178a48d5c18) | 4 | 4 | 0 |
ACG `sysadmin` account is unlicensed.
### Exchange Online / Email
- Mail provider: Microsoft 365 (kittlearizona.com)
- MX: kittlearizona-com.mail.protection.outlook.com
- Shared mailboxes, distribution groups, mail flow rules: *(not documented)*
- Known Outlook accounts in Syncro notes (plaintext — flagged for vault migration): `kittletucson@outlook.com`, `kittletucson2@outlook.com`
### Azure
*(not documented)* — Azure subscription template is empty; no Azure VMs or cloud resources documented.
### Entra ID / Hybrid Join
- Hybrid joined: [unverified] — not documented
- No Azure AD Connect server documented
- MFA enforcement status: [unverified]
### SharePoint / OneDrive / Teams
*(not documented)*
---
## GuruRMM
| Field | Value |
|-------|-------|
| Client name | Kittle Design & Construction LLC |
| Client ID | d8b08837-78e0-441e-b824-e0abbf0254ed |
| Client code | KITTLE |
| Site name | Main Office |
| Site ID | 851376d1-33be-46ee-9e48-be44767e4a0a |
| Site code | SILVER-HAWK-7639 |
| Site address | 2539 N Balboa Ave #125, Tucson AZ 85705 |
| API key (enrollment) | Vault: `clients/kittle/gururmm-site-main.sops.yaml` (vault commit 6eb3414) |
| Dashboard | https://rmm.azcomputerguru.com |
| API | https://rmm-api.azcomputerguru.com |
**GuruRMM client and site created 2026-05-08** by Howard during Joshua onboarding onsite. Agent deployment was in progress at time of log:
- SERVER (SERVER2021) — agent install pending/in-progress during onsite
- Wrex's workstation (DESKTOP-2560Q7R) — agent install pending/in-progress during onsite
- Enrolled agent IDs and hostnames: *(not yet documented — confirm after onsite)*
**Agent deployment command (ScreenConnect, requires `#!ps` prefix):**
```powershell
#!ps
$u='https://rmm-api.azcomputerguru.com/downloads/gururmm-agent-windows-amd64-latest.exe';
$d='C:\Windows\Temp\gururmm-agent.exe';
Invoke-WebRequest $u -UseBasicParsing -OutFile $d;
& $d install --server-url 'wss://rmm-api.azcomputerguru.com/ws' --api-key '<key-from-vault>'
```
---
## Active Projects / Open Items
### CRITICAL — Must Resolve
- [ ] **Activate Windows Server 2025 full license on SERVER** — evaluation expires after 180 days; server shuts down hourly after expiry. Check remaining time: `slmgr /dlv`
- [ ] **Implement backup for SERVER** — No backup exists. Options: Windows Server Backup to USB/NAS, Veeam Free, cloud backup (Backblaze B2/Wasabi)
- [ ] **Migrate credentials from Syncro plaintext to SOPS vault:**
- SERVER admin (`administrator / AXman2Z`) → `clients/kittle/server2021.sops.yaml`
- Outlook accounts (`kittletucson@outlook.com`, `kittletucson2@outlook.com`) → vault
- Strip plaintext from Syncro customer notes after vaulting
### HIGH Priority
- [ ] **Configure DKIM for kittlearizona.com** — Add CNAME selectors in NSOne/Squarespace; enable signing in M365 Defender Portal. Guide: `clients/kittle/docs/email/dkim-dmarc-setup.md`
- [ ] **Add DMARC policy for kittlearizona.com** — Start with `p=none` (monitor), escalate to `p=quarantine` after 1 week clean
- [ ] **Migrate QuickBooks off the domain controller** — QB should run on ACCOUNTING workstation; data stays on \\SERVER\QBooks
- [ ] **Deploy dedicated firewall** — ISP router only; no stateful inspection or content filtering
- [ ] **Confirm Joshua Sutherland's onsite setup complete** — local admin on Wrex's PC, password changed, GuruRMM agent installed
- [ ] **GuruRMM agent enrollment** — Confirm agents running on SERVER and Wrex's PC; roll out to FRONTDESK and other endpoints
### MEDIUM Priority
- [ ] Migrate DHCP from ISP router to Windows Server; verify DNS option hands out 10.0.0.5
- [ ] Replace role-based AD accounts (`accountant`, `frontdesk`) with individual named accounts
- [ ] Rename 4 workstations with generic DESKTOP-xxx / WINDOWS-xxx names
- [ ] Investigate and identify port 8019 on SERVER
- [ ] Identify unknown DNS registrar for kittlearizona.com
- [ ] Verify what DNS server ISP router hands out via DHCP (critical for AD)
- [ ] Investigate email issue: emails moved to folders reappearing in inbox (suspected Outlook cached mode / OST corruption)
- [ ] Identify M365 mailbox need for Joshua Sutherland (AD creation is separate from M365 licensing)
### LOW Priority
- [ ] Create reverse DNS zone for 10.0.0.0/24 (0.0.10.in-addr.arpa)
- [ ] Identify purpose of secondary SERVER volume "Server2 2022_03_31" (~2 TB)
- [ ] Identify 3 unknown workstations (WINDOWS-QV1B0EL, DESKTOP-R0KA2UG, DESKTOP-9B2SMD9) — requires onsite correlation
- [ ] Add secondary DNS forwarder on SERVER (8.8.8.8 or 1.1.1.1) for ISP router failure redundancy
- [ ] Enable DNS scavenging to prevent stale records
- [ ] Identify remaining ~20 unknown ARP entries on the network
- [ ] Identify DHCP reservations on ISP router; create proper reservations for SERVER, switch, printers
---
## Key Events / History
| Date | Event |
|------|-------|
| 2026-04-16 | Standard client directory structure applied by Howard; onboarding started |
| 2026-04-23 | Email DNS audit: SPF confirmed OK, DKIM/DMARC confirmed missing |
| 2026-04-28 | M365 licensing documented: 16 total seats (12 Business Standard + 4 E3), all assigned |
| 2026-03-12 | Server audit: discovered evaluation license, no backup, QB on DC, no firewall, role-based accounts, DHCP on ISP router |
| 2026-03-12 | Fixed HomeFolder GPO drive map action from Replace → Update to stop File Explorer closing on GP refresh |
| 2026-03-20 | Deployed "Intranet Zone - File Server" GPO — adds \\SERVER and \\10.0.0.5 to Local Intranet zone; fixes PDF preview on shares (Oct 2025 security update regression) |
| 2026-03-25 | FRONTDESK: folder view sort order fix — cleared Bags/BagMRU registry, disabled auto folder-type detection, forced Details view via AllFolders shell key |
| 2026-05-08 | Howard onsite: AD user `joshua.sutherland` created; GuruRMM client + Main Office site created; GuruRMM enrollment key vaulted; agents being deployed to SERVER and Wrex's PC |
---
## Anti-Patterns / Warnings
- [WARNING] **ScreenConnect command runner defaults to `cmd` context** — PowerShell scripts MUST be prefixed with `#!ps` or they will fail silently. `Invoke-WebRequest`, `ConvertTo-SecureString`, etc. all require PowerShell.
- [WARNING] **Do NOT run `Add-LocalGroupMember` on the DC to add a user to local Administrators** — DCs have no local SAM; the command will fail with "Group Administrators was not found." Run this on the target workstation instead.
- [WARNING] **SERVER is the sole domain controller** — Any outage = complete loss of AD, DNS, file shares, and QuickBooks data. No backup. No failover.
- [WARNING] **QuickBooks Pro 2024 is on the DC** — Do not migrate or decommission SERVER without a proper QuickBooks migration plan. Data is at `C:\Shares\Home\QBooks`.
- [WARNING] **DHCP DNS server unknown** — ISP router may be handing out ISP DNS instead of 10.0.0.5. Do not assume domain resolution works correctly for all clients. Test before deploying domain-joined systems.
- [WARNING] **Two Outlook account credentials (`kittletucson@outlook.com` / `kittletucson2@outlook.com`) and the SERVER admin password (`administrator / AXman2Z`) are in Syncro customer notes as plaintext.** Migrate to vault and strip from Syncro before any additional access sharing.
- [WARNING] **Wrex's AD account (`wrex`) is still active** but his workstation is now used by Joshua Sutherland. Wrex's account should be reviewed — disable or confirm Wrex is still an employee.
- [WARNING] **Password set during Joshua onboarding (`Kota2020!`) was set with force-change-at-logon.** Confirm Joshua completed the password change; if not, the temp password is known to Howard.
- [WARNING] **DKIM and DMARC are not configured.** Domain kittlearizona.com can be trivially spoofed. Emails to strict recipients (Gmail, Google Workspace) may land in spam.
- [WARNING] **GPO drive map action (HomeFolder GPO)** — Must stay as `Update`, not `Replace`. Changing back to Replace will cause File Explorer to close during GP refresh for users browsing mapped drives.
- [WARNING] **Always use `Update` (not `Replace`) for GPO drive maps** — Replace tears down and recreates the drive connection every ~90 min GP refresh cycle, killing open Explorer windows.
---
## Backlinks
- [[wiki/projects/gururmm]] — GuruRMM agent enrollment; Kittle is an active RMM client as of 2026-05-08
- [[wiki/clients/internal-infrastructure]] — ACG UniFi controller manages Kittle's UniFi switch

112
wiki/clients/scileppi-law.md Normal file
View File

@@ -0,0 +1,112 @@
---
type: client
name: scileppi-law
display_name: The Law Offices of Chris Scileppi
last_compiled: 2026-05-24
compiled_by: DESKTOP-0O8A1RL/claude-main
sources:
- clients/scileppi-law/session-logs/2026-05-07-howard-sylvia-mac-mini-mail-memory.md
---
# The Law Offices of Chris Scileppi
## Overview
- **Business type:** Law firm
- **Syncro Customer ID:** 9601863
- **Billing model:** Time and materials [unverified]
- **Billing rate:** $175/hr (onsite business, product 26118)
- **Contract status:** Unknown
- **Note:** As of 2026-05-07, Sylvia's billing line item was logged but deliberately NOT invoiced — held for later disposition per Mike's instruction.
## Contacts
| Name | Role | Notes |
|---|---|---|
| Chris Scileppi | Owner / attorney | Client namesake |
| Sylvia | Employee | Primary user of the Mac mini with memory issue; single user account `sylvia` on machine |
## Infrastructure
### Workstations
| Asset | Hostname | Model | RAM | Storage | OS | Status |
|---|---|---|---|---|---|---|
| Sylvia's Mac mini | `Sylvias-Mini` | Apple Mac14,3 (M2 base) | 8 GB LPDDR5 (Hynix, soldered — no upgrade path) | 256 GB SSD (92.78 GB free as of 2026-05-07) | macOS 14.4.1 (23E224) | Mail disabled; on webmail |
**Current state of Sylvias-Mini:**
- Apple Mail disabled at System Settings → Internet Accounts (Mail toggle off; Calendar/Contacts left enabled).
- Sylvia using outlook.office.com (webmail) for daily mail.
- Machine is usable but 8 GB with Office + OneDrive + Safari is tight without Mail running.
- Machine is NOT enrolled in GuruRMM (enrollment attempted 2026-05-07, failed — see notes).
### Replacement Mac (planned, not yet ordered)
- **Target spec:** M4 Mac mini, 16 GB minimum, 24 GB preferred. 256 GB SSD sufficient; 512 GB optional.
- **Migration plan:** Migration Assistant over wired Ethernet or Thunderbolt, then reconfigure Mail with Download Attachments = None.
## Network
*(not documented)*
## Cloud / M365
- **Mail platform:** Exchange/M365 (Sylvia's mailbox is an IMAP/Exchange account accessed via Apple Mail or Outlook Web).
- **Webmail URL:** outlook.office.com
- Tenant domain and ID not documented in this session log.
## GuruRMM
- **GuruRMM site:** Main Office (`WEST-MEADOW-9025`)
- **Sylvias-Mini enrollment:** FAILED as of 2026-05-07. macOS installer not yet available on GuruRMM server; Cloudflare bot challenge also blocked install one-liner. Documented separately at `session-logs/2026-05-07-howard-gururmm-macos-installer-and-cf-bot-block.md`.
- Enrollment to be retried on the replacement Mac after migration, once Mike ships the macOS agent.
## Active Projects / Open Items
| Priority | Action | Owner |
|---|---|---|
| P1 | Spec, quote, and order replacement Mac mini (M4, 16 or 24 GB) | Mike |
| P2 | When new Mac arrives: run Migration Assistant from Sylvias-Mini; reconfigure Mail with Download Attachments = None | Howard |
| P2 | Enroll new Mac in GuruRMM (gated on macOS agent availability from Mike) | Howard |
| P3 | Re-enable Mail in Internet Accounts on new machine after migration verified | Howard |
| P3 | Invoice Syncro ticket #32262 (line item 42350646 exists, $175.00 × 1.0 — not yet invoiced per Mike's instruction) | Mike |
## Key Events / History
### 2026-05-07 — Sylvia's Mac mini: Apple Mail memory exhaustion
**Syncro ticket #32262** — "Sylvia is having applications crash and getting errors regarding low memory."
**Technician:** Howard Enos. Status: Resolved.
**Root cause:** Apple Mail's local cache (Envelope Index + message cache under `~/Library/Mail/V10/`) had grown beyond what 8 GB unified RAM can service. Mail's virtual memory footprint exceeded 45 GB on an 8 GB machine, forcing constant swap. ~4.4 million swapouts observed in 9 minutes of uptime.
**Diagnosis process:**
1. Attempt 1: Backed up and rebuilt Envelope Index. Memory footprint rose to 12 GB before Mail was killed by OS for memory pressure.
2. Attempt 2: Fresh index rebuild — footprint climbed to 28 GB while downloading 349 messages (ETA shown: "69 hours"). This conclusively ruled out index corruption — the mailbox itself is too large for 8 GB.
**Interim fix applied:**
- Force-quit Mail.
- Disabled Mail toggle in System Settings → Internet Accounts.
- Verified Mail no longer auto-relaunches after reboot.
- Walked Sylvia through outlook.office.com in Safari for daily mail.
**Billing artifacts:**
| Artifact | ID |
|---|---|
| Syncro ticket | #32262 |
| Resolution comment | 409686752 |
| Timer entry | 39082403 (3600 s, billable) |
| Line item | 42350646 ($175.00 × 1.0, non-taxable) |
| Invoice | None — deliberately not created |
## Anti-Patterns / Warnings
- [WARNING] Do NOT re-enable Apple Mail on Sylvias-Mini. The machine has 8 GB soldered RAM with no upgrade path — Mail will reproduce the memory exhaustion immediately. Machine stays on webmail until replaced.
- [WARNING] After migration to new Mac mini, configure Mail → Settings → Accounts → Mail Behaviors → Download Attachments = None. Skipping this on a large mailbox will eventually reproduce the same issue even on 16/24 GB.
- 8 GB M2 Mac mini RAM is **soldered and not upgradeable** — do not quote a RAM upgrade to the client.
- GuruRMM macOS enrollment is blocked until Mike ships the macOS agent — do not attempt install one-liner again without confirming agent availability first.
## Backlinks
- `session-logs/2026-05-07-howard-gururmm-macos-installer-and-cf-bot-block.md` — related GuruRMM macOS installer failure

163
wiki/clients/western-tire.md Normal file
View File

@@ -0,0 +1,163 @@
---
type: client
name: western-tire
display_name: Western Tire
last_compiled: 2026-05-24
compiled_by: DESKTOP-0O8A1RL/claude-main
sources:
- clients/western-tire/session-logs/2026-04-22-session.md
---
# Western Tire
## Overview
- **Business type:** Tire retail/service (westerntire.com). Website redirects to jackfurriers.com — Jack Furrier's Tire is the active brand.
- **Syncro Customer ID:** 391491 (Mike Furrier — same record as the Furrier client)
- **Billing model:** Time and materials [unverified — ticket not yet billed as of session end]
- **Billing rate:** Unknown
- **Contract status:** Unknown
> Note: Western Tire and the Furrier client share Syncro customer ID 391491 (Mike Furrier). See [[wiki/clients/furrier.md]].
## Contacts
| Name | Role | Notes |
|---|---|---|
| Mike Furrier | Owner | Primary contact; owns Western Tire and Desert Rat |
### Mailbox users (westerntire.com, 23 notified)
`accounting, admin, ap, ap2, ar, chloe, fduarte, heather, jack, jack.furrier, jack_ritter, karen_dwornik, k_crespo, m_bouck, millie_scott, pat_wallace, payroll, pete, purchasing, rachel_riggs, rick, sean, work`
System/automated (not notified): `donotreply, storealert, integrilogic, receipts, payslips, programs, inventory`
## Infrastructure
### Mail servers
| Server | Hostname | IP | Role | Status |
|---|---|---|---|---|
| IX (current) | ix.azcomputerguru.com | 72.194.62.5 | cPanel email host (new) | Active — all westerntire.com mail lands here |
| websvr (old) | websvr.acghosting.com | 162.248.93.81 | Old cPanel host | Decommissioned for westerntire.com mail; still authoritative DNS; forwards arriving mail to IX during DNS lag |
> [WARNING] Session log contained plaintext SSH credentials for websvr and IX. Use vault only: `vault.sh get-field infrastructure/websvr` and `vault.sh get-field infrastructure/ix`.
### IX — cPanel account
- **cPanel account:** westernt
- **Home dir:** 62 GB
- **Mailboxes:** 30 accounts under westerntire.com
- **MySQL:** None (account does not use MySQL)
- **SSL:** Wildcard `*.westerntire.com` from Let's Encrypt, valid to 2026-05-30 (AutoSSL should renew)
### Key file paths on IX
| Path | Purpose |
|---|---|
| `/etc/exim.conf.local` | Mailprotector relay config (smarthost router + relay transport) |
| `/etc/mailprotector_domains` | Domains using Mailprotector outbound (westerntire.com added) |
| `/etc/skipsmtpcheckhosts` | Mailprotector inbound IPs bypass (50 IPs added) |
| `/home/westernt/public_html/.htaccess` | 301 redirect to jackfurriers.com |
| `/var/cpanel/domain_keys/private/westerntire.com` | DKIM private key |
### Key file paths on websvr
| Path | Purpose |
|---|---|
| `/var/named/westerntire.com.db` | Authoritative DNS zone (PowerDNS) |
| `/etc/manualmx` | Service forwarding → ix.azcomputerguru.com |
| `/etc/remotedomains` | westerntire.com listed as remote domain |
### Local artifacts
| Path | Purpose |
|---|---|
| `clients/western-tire/dns-backups/westerntire.com.db.2026-04-22.bak` | Pre-migration DNS zone backup |
| `clients/western-tire/email-setup-guide.html` | User notification email (sent 2026-04-22) |
| `clients/western-tire/email-setup-guide.md` | Markdown source for above |
## Network
### DNS (westerntire.com)
- **Nameservers:** ns1.azcomputerguru.com, ns2.azcomputerguru.com (PowerDNS on websvr — ACG-authoritative)
- **A record:** 72.194.62.5 (IX) — TTL 300
- **MX:** `10 westerntire-com.inbound.emailservice.io` (Mailprotector — unchanged during migration)
- **SPF:** `v=spf1 +a +mx +ip4:162.248.93.233 +ip4:72.194.62.5 +ip4:184.187.220.69 +include:spf.us.emailservice.io +ip4:72.194.188.146 +ip4:162.248.93.185 +ip4:173.201.39.86 ~all`
- **DKIM:** `default._domainkey` (generated by IX during transfer)
- **DMARC:** `v=DMARC1; p=none; rua=mailto:sysadmin@azcomputerguru.com`
- **Zone TTL:** 300s (lowered from 14400 this session)
### jackfurrier.com / jackfurriers.com
- `jackfurriers.com` (with 's') — active redirect target from westerntire.com .htaccess. Main brand site; not on ACG servers.
- `jackfurrier.com` (no 's') — DNS via Cloudflare + Google Workspace MX. Not on ACG servers.
- `/etc/vdomainaliases/jackfurrier.com` on IX: `jackfurrier.com : westerntire.net` — dormant alias, no active inbound.
## Cloud / M365
*(not documented)*
## GuruRMM
*(not documented)*
## Active Projects / Open Items
| Priority | Item | Owner |
|---|---|---|
| P1 | Monitor for user mail client issues after email setup guide was sent (new IMAP/SMTP settings) | Mike |
| P2 | Bill ticket #32199 when scope is confirmed | Mike |
| P2 | westerntire.com SSL cert (`*.westerntire.com`) expires 2026-05-30 — verify AutoSSL renewed | Mike |
| P3 | Update Syncro customer property "DNS Detail" field — currently says "Email is on Websvr" (now IX) | Mike |
### User mail client settings (from setup guide sent 2026-04-22)
- **IMAP:** mail.westerntire.com:993 SSL/TLS
- **POP3:** mail.westerntire.com:995 SSL/TLS
- **SMTP:** mail.westerntire.com:587 STARTTLS
- **Username:** full email address; password unchanged
- **Webmail:** https://mail.westerntire.com
## Key Events / History
### 2026-04-22 — Full email migration websvr → IX
**Syncro ticket #32199** (ID: 109325058) — Status: Waiting on Customer. Not yet billed.
Migration completed in one session:
1. Verified cpmove account transfer (62 GB home dir, 30 mailboxes) on IX.
2. Managed DNS A record transition (websvr → IX); backed up zone file.
3. Configured Mailprotector SBR on IX (`/etc/mailprotector_domains`, exim smarthost router).
4. Added all 50 Mailprotector inbound IPs to `/etc/skipsmtpcheckhosts` on IX.
5. Updated Mailprotector admin portal delivery server from 162.248.93.81 to 72.194.62.5.
6. Added missing `.htaccess` 301 redirect to jackfurriers.com on IX (was absent post-cpmove).
7. Confirmed websvr service forwarding in place for DNS lag period.
8. Sent HTML email setup guide to 23 real user accounts.
Outbound test confirmed: `accounting@westerntire.com → westerntire-com.outbound.emailservice.io` — 250 OK.
Inbound confirmed: live mail arriving from Mailprotector inbound relay at 18:59.
A duplicate ticket #32198 was inadvertently created and deleted.
### Accounts with high unread counts (pre-existing, not migration artifact)
- jack.furrier: 737 unread
- millie_scott: 466 unread
- pat_wallace: 385 unread
- jack_ritter: 144 unread
- rachel_riggs: 111 unread
## Anti-Patterns / Warnings
- [WARNING] Plaintext SSH credentials for websvr and IX appeared in session log. Always retrieve from vault — never hardcode.
- [WARNING] SSL cert `*.westerntire.com` expires 2026-05-30 — check AutoSSL renewal immediately if it's past that date.
- Do NOT use `${sg{}{\\\.}{-}}` in exim.conf.local on WHM servers — WHM buildeximconf strips backslash levels and breaks the regex. Use `${tr{}{.}{-}}` instead.
- Do NOT use tainted `$sender_address_domain` directly in file path lookups in exim 4.94+ — use `dsearch` (returns untainted value) for DKIM private key paths.
- Do NOT look for westerntire.com mail on websvr — migration is complete; mail lives on IX.
- Syncro "DNS Detail" field is stale — it still says "Email is on Websvr" as of 2026-04-22.
## Backlinks
- [[wiki/clients/furrier.md]] — Same Syncro customer (Mike Furrier, ID 391491); desertrat.com email infrastructure on same websvr