azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
61081f70c22c816c8408ca3615ca88e543aafa42
claudetools/clients/glaztech/session-logs/2026-06-02-session.md
Mike Swanson 61081f70c2 sync: auto-sync from GURU-BEAST-ROG at 2026-06-02 10:44:23 
Author: Mike Swanson
Machine: GURU-BEAST-ROG
Timestamp: 2026-06-02 10:44:23
2026-06-02 10:44:29 -07:00

7.4 KiB
Raw Blame History

Session Log — 2026-06-02 — Glaz-Tech Industries

User

  • User: Mike Swanson (mike)
  • Machine: GURU-BEAST-ROG
  • Role: admin

Session Summary

Mike requested a transport rule in the Glaztech Exchange Online tenant to allow messages from MailProtector as noreply@azcomputerguru.com through spam filtering. These are MailProtector quarantine digest notifications sent to Glaztech users on behalf of ACG's no-reply address.

Before creating the rule, a message trace was pulled (via Get-MessageTraceV2) for noreply@azcomputerguru.com over the past 10 days to verify that messages were in fact being filtered by Microsoft. The trace confirmed the issue: the vast majority of digest messages delivered successfully, but some recipients were hitting FilteredAsSpam status (e.g., tshaw@glaztech.com on 2026-06-02 at 3:07 PM). The gtimail@glaztech.com address showed Failed status on every daily send — this is caused by the existing "GTIMail No-Reply - Reject Inbound" transport rule (Priority 1, SentToPredicateRejectMessageAction) and is a separate, pre-existing issue noted for follow-up.

Authentication to Exchange Online used the ComputerGuru Exchange Operator multi-tenant app (b43e7342) with certificate-based credentials from the vault. The token was acquired via get-token.sh for the exchange-op tier against the Glaztech tenant (82931e3c-de7a-4f74-87f7-fe714be1f160) and passed to Connect-ExchangeOnline -AccessToken with EXO PowerShell V3 (3.9.2).

A new transport rule was created: "SCL Bypass - noreply@azcomputerguru.com (MailProtector digests)" at Priority 4, condition From: noreply@azcomputerguru.com, action SetSCL -1. This bypasses all spam and junk folder filtering for these digests. The rule was verified active immediately after creation.

Key Decisions

  • SCL = -1 rather than domain-level bypass: The sender address noreply@azcomputerguru.com is specific enough that setting SCL=-1 on it carries minimal risk. A domain-level bypass (azcomputerguru.com) was considered but rejected — too broad, would cover all ACG-origin mail.
  • Priority 4: Placed below the existing SCL bypass rules (Priority 23) since no conflict exists; priority ordering doesn't matter for non-overlapping senders. Placed above any catch-all rules that might exist in the future.
  • Did not restrict by connector: The "Inbound Spam Filter" connector has no SenderIPAddresses restriction (per prior decision — avoids blocking calendar invites from external M365 tenants). Adding a connector-based condition to the rule was avoided for the same reason.
  • gtimail@glaztech.com not addressed: The daily Failed delivery to gtimail@glaztech.com is caused by the pre-existing "GTIMail No-Reply - Reject Inbound" rule. Mike did not request any change to that rule; flagged for separate review.

Problems Encountered

  • Get-MessageTrace deprecated: Initial call to Get-MessageTrace returned a deprecation warning and failed. Switched to Get-MessageTraceV2. Note: Get-MessageTraceV2 does not accept -PageSize — that parameter does not exist on the V2 cmdlet.
  • New-TransportRule -SenderAddresses not valid: First attempt used -SenderAddresses which is not a valid parameter. Correct parameter is -From for explicit sender address matching.
  • Cert not in Windows cert store: Exchange Operator cert (A615823DE1CAF15229027DEC075AFE32B900D82C) is not installed in LocalMachine\My or CurrentUser\My on BEAST. Used get-token.sh cert-based JWT flow instead, passing the resulting bearer token to Connect-ExchangeOnline -AccessToken.

Configuration Changes

  • Exchange Online transport rule created in glaztechindustries.onmicrosoft.com:
    • Name: SCL Bypass - noreply@azcomputerguru.com (MailProtector digests)
    • Condition: From = noreply@azcomputerguru.com
    • Action: SetSCL -1
    • Priority: 4
    • State: Enabled
    • Comments: "Bypass spam filtering for MailProtector quarantine digest emails sent as noreply@azcomputerguru.com. Created 2026-06-02 by ACG."

Credentials & Secrets

  • Vault path used: msp-tools/computerguru-exchange-operator.sops.yaml
    • App: ComputerGuru - Exchange Operator
    • Client ID: b43e7342-5b4b-492f-890f-bb5a4f7f40e9
    • Cert thumbprint: A615823DE1CAF15229027DEC075AFE32B900D82C
    • Token acquired via: bash .claude/skills/remediation-tool/scripts/get-token.sh <tenant-id> exchange-op

Infrastructure & Servers

  • Glaztech tenant: glaztechindustries.onmicrosoft.com
  • Tenant ID: 82931e3c-de7a-4f74-87f7-fe714be1f160
  • Inbound mail filter: MailProtector — glaztech-com.inbound.emailservice.io
  • Inbound connector: "Inbound Spam Filter" — Partner type, RequireTls=True, no IP restriction (intentional — preserves calendar invite delivery)
  • EXO PowerShell module: ExchangeOnlineManagement 3.9.2

Commands & Outputs

# Connect to Glaztech EXO with app-only token
$token = bash .claude/skills/remediation-tool/scripts/get-token.sh 82931e3c-de7a-4f74-87f7-fe714be1f160 exchange-op
Connect-ExchangeOnline -AccessToken $token -Organization 'glaztechindustries.onmicrosoft.com' -ShowBanner:$false

# Message trace (last 10 days) — confirmed FilteredAsSpam occurrences
Get-MessageTraceV2 -SenderAddress 'noreply@azcomputerguru.com' -StartDate (Get-Date).AddDays(-10) -EndDate (Get-Date)
# Key finding: tshaw@glaztech.com → FilteredAsSpam (2026-06-02 3:07 PM)
# Key finding: gtimail@glaztech.com → Failed daily (pre-existing rule, separate issue)

# Create rule
New-TransportRule `
    -Name 'SCL Bypass - noreply@azcomputerguru.com (MailProtector digests)' `
    -From 'noreply@azcomputerguru.com' `
    -SetSCL -1 `
    -Priority 4 `
    -Comments 'Bypass spam filtering for MailProtector quarantine digest emails sent as noreply@azcomputerguru.com. Created 2026-06-02 by ACG.' `
    -Enabled $true

Final transport rule list (Glaztech):

Priority 0  Pensky Allow                                                    Enabled
Priority 1  GTIMail No-Reply - Reject Inbound                               Enabled
Priority 2  SCL Bypass - hartsglass + olemons (SHVSALES)                    Enabled
Priority 3  SCL Bypass - aaaglassinc.com (SHVSALES)                         Enabled
Priority 4  SCL Bypass - noreply@azcomputerguru.com (MailProtector digests) Enabled

Pending / Incomplete Tasks

  • gtimail@glaztech.com failing daily: The "GTIMail No-Reply - Reject Inbound" rule (Priority 1) rejects all inbound mail to gtimail@glaztech.com. This causes the daily MailProtector digest to fail for that address. Confirm with Steve Eastman whether gtimail@glaztech.com should receive digests (i.e., whether the reject rule should have an exception or be modified).
  • Exchange Operator cert not in BEAST cert store: If cert-based PowerShell connections are needed without get-token.sh (e.g., for interactive EXO sessions), the cert will need to be imported to the machine store. Not urgent — token flow works fine for bot-driven operations.

Reference Information

  • Syncro customer ID: 143932
  • EXO rule created: SCL Bypass - noreply@azcomputerguru.com (MailProtector digests) — Priority 4
  • EXO PowerShell V2 deprecation note: Get-MessageTrace deprecated Sept 1 2025; use Get-MessageTraceV2 (no -PageSize parameter)
  • Vault: msp-tools/computerguru-exchange-operator.sops.yaml
  • Token cache: /tmp/remediation-tool/82931e3c-de7a-4f74-87f7-fe714be1f160/exchange-op.jwt
Reference in New Issue View Git Blame Copy Permalink