azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
295126ee6c4abe2588f94de0e022eabdbb1c925d
claudetools/clients/quantumwms/reports/2026-05-26-email-infrastructure-assessment.txt
Mike Swanson c7e5dfc673 sync: auto-sync from GURU-5070 at 2026-05-26 15:58:46 
Author: Mike Swanson
Machine: GURU-5070
Timestamp: 2026-05-26 15:58:46
2026-05-26 15:58:50 -07:00

238 lines
10 KiB
Plaintext
Raw Blame History

EMAIL INFRASTRUCTURE ASSESSMENT & MIGRATION RECOMMENDATION
Arizona Computer Guru LLC
Prepared for: John Velez & Sheila Peress, Quantum WMS
Date: May 26, 2026
Prepared by: Mike Swanson
================================================================================
EXECUTIVE SUMMARY
================================================================================
Following our review of Quantum WMS's current email infrastructure, we have
identified significant security deficiencies in the current Intermedia hosted
Exchange setup and have confirmed that a migration to Microsoft 365 Business
Premium is technically superior, more cost-effective, and fully satisfies your
regulatory compliance requirements under FINRA Rule 4511 and SEC Rule 17a-4.
We are recommending: Microsoft 365 Business Premium (exchange and full Office
suite) with Mailprotector as a managed email security frontend.
Before we proceed, we need one item from Sheila: the written policy from your
Broker/Dealer specifying email and security compliance requirements. Details
at the end of this document.
================================================================================
CURRENT STATE: INTERMEDIA HOSTED EXCHANGE
================================================================================
Your current email is hosted by Intermedia on their "exch090" Exchange Server
cluster. This is important to understand: Intermedia is not running Microsoft's
cloud. They are running Exchange Server software in their own data center —
the same software that runs on an on-premises server. This distinction has
major security implications.
CRITICAL: YOUR DOMAIN HAS NO EMAIL SECURITY RECORDS
----------------------------------------------------
During our assessment we found the following DNS configuration issues that
represent active security risks today:
DMARC Record: MISSING
-----------------------------------------------------------------------
DMARC is what tells the internet what to do with email that claims to
be from @quantumwms.com but wasn't sent by your mail server. Without
it, anyone in the world can send email that appears to come from your
domain with no enforcement. This is the primary mechanism used in
CEO fraud and vendor impersonation attacks.
SPF Records: TWO RECORDS (misconfiguration)
-----------------------------------------------------------------------
Your domain has two conflicting SPF records:
Record 1: v=spf1 include:spf.intermedia.net -all
Record 2: v=spf1 include:_spf-usg1.ppe-hosted.com
include:secureserver.net ~all
Internet standards (RFC 7208) permit only ONE SPF record per domain.
Having two causes receiving mail servers to evaluate them unpredictably,
which can result in your legitimate email being marked as spam or
rejected outright.
DKIM: NOT CONFIGURED
-----------------------------------------------------------------------
DKIM cryptographically signs outbound email, proving it originated
from your mail server and has not been tampered with in transit.
Without it, your email cannot be fully authenticated by recipients.
These three issues exist independently of which email platform you use and
need to be corrected as part of any migration.
SECURITY RISKS: EXCHANGE SERVER CVE EXPOSURE
--------------------------------------------
Because Intermedia runs Exchange Server (not Exchange Online), your email
infrastructure is subject to the same vulnerabilities that have affected
on-premises Exchange servers worldwide over the past several years:
- ProxyLogon (CVE-2021-26855) — mass-exploited March 2021
- ProxyShell (CVE-2021-34473) — mass-exploited August 2021
- ProxyNotShell (CVE-2022-41040) — actively exploited October 2022
- OWASSRF (CVE-2022-41080) — Rackspace breach, December 2022
Microsoft patches Exchange Online the same day vulnerabilities are
disclosed. Intermedia patches their hosted Exchange clusters on their
own schedule. The gap between disclosure and patch deployment is when
attacks occur.
WHAT INTERMEDIA DOES NOT PROVIDE
---------------------------------
- Advanced threat protection (no Safe Links, Safe Attachments)
- Conditional Access / MFA enforcement policies
- Modern email archiving with FINRA compliance certification
- Desktop Office applications (Word, Excel, Outlook, etc.)
- Mobile device management
- Identity protection or sign-in risk detection
================================================================================
RECOMMENDED SOLUTION: M365 BUSINESS PREMIUM + MAILPROTECTOR
================================================================================
MICROSOFT 365 BUSINESS PREMIUM
-------------------------------
$22/user/month (direct) — includes:
Exchange Online Full cloud email, Microsoft-managed, same-day patching
Desktop Office Apps Word, Excel, Outlook, PowerPoint, OneNote (5 devices)
Microsoft Teams Chat, video, file collaboration
SharePoint / OneDrive 1 TB cloud file storage per user
Microsoft Purview FINRA/SEC 17a-4 compliant email archiving (WORM)
Defender for Office 365 Safe Links, Safe Attachments, anti-phishing (Plan 1)
Microsoft Entra ID P1 Conditional Access, MFA enforcement, sign-in risk
Microsoft Intune Mobile device and PC management
MAILPROTECTOR (ACG-MANAGED FRONTEND)
-------------------------------------
Mailprotector sits in front of Exchange Online as an additional email
security layer, providing:
- Inbound spam and malware filtering before mail reaches Exchange
- Outbound filtering and DLP
- Quarantine management
- ACG-managed — we handle configuration, updates, and tuning
WHAT THIS LOOKS LIKE DAY-TO-DAY
--------------------------------
Inbound mail path:
Sender -> Mailprotector (spam/malware filter) -> Exchange Online -> Outlook
Outbound mail path:
Outlook -> Exchange Online -> Internet (DKIM-signed, SPF-aligned, DMARC-enforced)
Result: your outbound email is cryptographically authenticated, and your
inbound email is filtered twice before reaching your inbox.
SECURITY POSTURE COMPARISON
----------------------------
Intermedia M365 Business Premium
+ Mailprotector
-----------------------------------------------------------------------
Exchange CVE exposure Yes (Exchange Server) No (Exchange Online)
Same-day security patching No (Intermedia pace) Yes (Microsoft)
Inbound threat filtering Basic Mailprotector + Defender
Safe Links (URL scanning) No Yes
Safe Attachments No Yes
MFA enforcement policy Manual, per-user Conditional Access (P1)
DMARC/DKIM/SPF Not managed ACG-configured
Email archiving (FINRA) Extra cost add-on Included (Purview)
Desktop Office apps No Yes
Mobile device management No Yes (Intune)
Sign-in risk detection No Yes (Entra P1)
-----------------------------------------------------------------------
================================================================================
REGARDING YOUR BROKER/DEALER COMPLIANCE REQUIREMENT
================================================================================
You have indicated that your Broker/Dealer may require Intermedia for
compliance purposes. We want to address this directly.
WHAT FINRA RULE 4511 AND SEC RULE 17a-4 ACTUALLY REQUIRE:
The regulations require that broker/dealers retain electronic
communications (including email) in a format that is:
1. Non-rewritable and non-erasable (WORM storage)
2. Retained for a minimum period (3 years accessible, 6 total)
3. Indexed and available for regulatory inspection on demand
4. Subject to supervisory review
The regulations do NOT name any specific vendor or platform.
They specify outcomes, not products.
MICROSOFT 365 IS FINRA/SEC 17a-4 COMPLIANT:
Microsoft Purview Compliance (included in Business Premium) has received
a formal compliance assessment from Cohasset Associates confirming that
Exchange Online and SharePoint Online meet the requirements of SEC Rule
17a-4(f) and CFTC Rule 1.31. This assessment is publicly available.
The majority of FINRA-registered broker/dealers — including large
institutions — run on Exchange Online today. FINRA has published
guidance explicitly endorsing cloud-based recordkeeping solutions.
OUR EXPECTATION:
If your Broker/Dealer has a written policy specifying Intermedia by
name as the required platform, we would consider that extraordinary and
would want to review it alongside your compliance attorney. In our
experience, B/D policies specify archiving standards, not vendors.
================================================================================
ACTION REQUIRED FROM SHEILA — BEFORE OUR MEETING TOMORROW AT 2 PM
================================================================================
Please locate and provide the written policy from your Broker/Dealer that
specifies your email and security compliance requirements.
Specifically, we are looking for any document that:
- Defines which email platforms are approved or required
- Specifies archiving or retention requirements for electronic communications
- Names Intermedia (or any vendor) as a required provider
If no such document exists, or if the policy specifies standards rather
than a named vendor, we can proceed with the Microsoft 365 migration on
the timeline we discussed.
Please have this document (or confirmation that it does not exist) ready
for our meeting on Tuesday, May 27 at 2:00 PM.
If you have questions before then, call or text Mike at Arizona Computer
Guru.
================================================================================
PROPOSED TIMELINE
================================================================================
Now through May 27: Sheila obtains B/D compliance policy
May 27 (2 PM): Review policy; confirm migration go/no-go
May 28-29: Purchase licenses; configure tenant
May 30-31: Stand up mailboxes; configure Mailprotector
June 1-2: Mail migration from Intermedia; DNS cutover
June 3: Current GoDaddy O365 Essentials lapses — new
Business Premium is live before this date
================================================================================
Arizona Computer Guru LLC
Mike Swanson
mike@azcomputerguru.com
(520) 226-3987
================================================================================
Reference in New Issue View Git Blame Copy Permalink