azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
bf7079383f5e358cbb5fa5c8bd6fc4553b29a72c
claudetools/clients/glaztech/session-logs/2026-06-02-session.md
Mike Swanson 61081f70c2 sync: auto-sync from GURU-BEAST-ROG at 2026-06-02 10:44:23 
Author: Mike Swanson
Machine: GURU-BEAST-ROG
Timestamp: 2026-06-02 10:44:23
2026-06-02 10:44:29 -07:00

118 lines
7.4 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Session Log — 2026-06-02 — Glaz-Tech Industries
## User
- **User:** Mike Swanson (mike)
- **Machine:** GURU-BEAST-ROG
- **Role:** admin
---
## Session Summary
Mike requested a transport rule in the Glaztech Exchange Online tenant to allow messages from MailProtector as `noreply@azcomputerguru.com` through spam filtering. These are MailProtector quarantine digest notifications sent to Glaztech users on behalf of ACG's no-reply address.
Before creating the rule, a message trace was pulled (via `Get-MessageTraceV2`) for `noreply@azcomputerguru.com` over the past 10 days to verify that messages were in fact being filtered by Microsoft. The trace confirmed the issue: the vast majority of digest messages delivered successfully, but some recipients were hitting `FilteredAsSpam` status (e.g., `tshaw@glaztech.com` on 2026-06-02 at 3:07 PM). The `gtimail@glaztech.com` address showed `Failed` status on every daily send — this is caused by the existing "GTIMail No-Reply - Reject Inbound" transport rule (Priority 1, `SentToPredicate``RejectMessageAction`) and is a separate, pre-existing issue noted for follow-up.
Authentication to Exchange Online used the ComputerGuru Exchange Operator multi-tenant app (`b43e7342`) with certificate-based credentials from the vault. The token was acquired via `get-token.sh` for the `exchange-op` tier against the Glaztech tenant (`82931e3c-de7a-4f74-87f7-fe714be1f160`) and passed to `Connect-ExchangeOnline -AccessToken` with EXO PowerShell V3 (3.9.2).
A new transport rule was created: **"SCL Bypass - noreply@azcomputerguru.com (MailProtector digests)"** at Priority 4, condition `From: noreply@azcomputerguru.com`, action `SetSCL -1`. This bypasses all spam and junk folder filtering for these digests. The rule was verified active immediately after creation.
---
## Key Decisions
- **SCL = -1 rather than domain-level bypass:** The sender address `noreply@azcomputerguru.com` is specific enough that setting SCL=-1 on it carries minimal risk. A domain-level bypass (`azcomputerguru.com`) was considered but rejected — too broad, would cover all ACG-origin mail.
- **Priority 4:** Placed below the existing SCL bypass rules (Priority 23) since no conflict exists; priority ordering doesn't matter for non-overlapping senders. Placed above any catch-all rules that might exist in the future.
- **Did not restrict by connector:** The "Inbound Spam Filter" connector has no SenderIPAddresses restriction (per prior decision — avoids blocking calendar invites from external M365 tenants). Adding a connector-based condition to the rule was avoided for the same reason.
- **gtimail@glaztech.com not addressed:** The daily `Failed` delivery to `gtimail@glaztech.com` is caused by the pre-existing "GTIMail No-Reply - Reject Inbound" rule. Mike did not request any change to that rule; flagged for separate review.
---
## Problems Encountered
- **`Get-MessageTrace` deprecated:** Initial call to `Get-MessageTrace` returned a deprecation warning and failed. Switched to `Get-MessageTraceV2`. Note: `Get-MessageTraceV2` does not accept `-PageSize` — that parameter does not exist on the V2 cmdlet.
- **`New-TransportRule -SenderAddresses` not valid:** First attempt used `-SenderAddresses` which is not a valid parameter. Correct parameter is `-From` for explicit sender address matching.
- **Cert not in Windows cert store:** Exchange Operator cert (`A615823DE1CAF15229027DEC075AFE32B900D82C`) is not installed in LocalMachine\My or CurrentUser\My on BEAST. Used `get-token.sh` cert-based JWT flow instead, passing the resulting bearer token to `Connect-ExchangeOnline -AccessToken`.
---
## Configuration Changes
- **Exchange Online transport rule created** in `glaztechindustries.onmicrosoft.com`:
- Name: `SCL Bypass - noreply@azcomputerguru.com (MailProtector digests)`
- Condition: `From = noreply@azcomputerguru.com`
- Action: `SetSCL -1`
- Priority: 4
- State: Enabled
- Comments: "Bypass spam filtering for MailProtector quarantine digest emails sent as noreply@azcomputerguru.com. Created 2026-06-02 by ACG."
---
## Credentials & Secrets
- **Vault path used:** `msp-tools/computerguru-exchange-operator.sops.yaml`
- App: ComputerGuru - Exchange Operator
- Client ID: `b43e7342-5b4b-492f-890f-bb5a4f7f40e9`
- Cert thumbprint: `A615823DE1CAF15229027DEC075AFE32B900D82C`
- Token acquired via: `bash .claude/skills/remediation-tool/scripts/get-token.sh <tenant-id> exchange-op`
---
## Infrastructure & Servers
- **Glaztech tenant:** `glaztechindustries.onmicrosoft.com`
- **Tenant ID:** `82931e3c-de7a-4f74-87f7-fe714be1f160`
- **Inbound mail filter:** MailProtector — `glaztech-com.inbound.emailservice.io`
- **Inbound connector:** "Inbound Spam Filter" — Partner type, RequireTls=True, no IP restriction (intentional — preserves calendar invite delivery)
- **EXO PowerShell module:** ExchangeOnlineManagement 3.9.2
---
## Commands & Outputs
```powershell
# Connect to Glaztech EXO with app-only token
$token = bash .claude/skills/remediation-tool/scripts/get-token.sh 82931e3c-de7a-4f74-87f7-fe714be1f160 exchange-op
Connect-ExchangeOnline -AccessToken $token -Organization 'glaztechindustries.onmicrosoft.com' -ShowBanner:$false
# Message trace (last 10 days) — confirmed FilteredAsSpam occurrences
Get-MessageTraceV2 -SenderAddress 'noreply@azcomputerguru.com' -StartDate (Get-Date).AddDays(-10) -EndDate (Get-Date)
# Key finding: tshaw@glaztech.com → FilteredAsSpam (2026-06-02 3:07 PM)
# Key finding: gtimail@glaztech.com → Failed daily (pre-existing rule, separate issue)
# Create rule
New-TransportRule `
-Name 'SCL Bypass - noreply@azcomputerguru.com (MailProtector digests)' `
-From 'noreply@azcomputerguru.com' `
-SetSCL -1 `
-Priority 4 `
-Comments 'Bypass spam filtering for MailProtector quarantine digest emails sent as noreply@azcomputerguru.com. Created 2026-06-02 by ACG.' `
-Enabled $true
```
**Final transport rule list (Glaztech):**
```
Priority 0 Pensky Allow Enabled
Priority 1 GTIMail No-Reply - Reject Inbound Enabled
Priority 2 SCL Bypass - hartsglass + olemons (SHVSALES) Enabled
Priority 3 SCL Bypass - aaaglassinc.com (SHVSALES) Enabled
Priority 4 SCL Bypass - noreply@azcomputerguru.com (MailProtector digests) Enabled
```
---
## Pending / Incomplete Tasks
- **gtimail@glaztech.com failing daily:** The "GTIMail No-Reply - Reject Inbound" rule (Priority 1) rejects all inbound mail to `gtimail@glaztech.com`. This causes the daily MailProtector digest to fail for that address. Confirm with Steve Eastman whether `gtimail@glaztech.com` should receive digests (i.e., whether the reject rule should have an exception or be modified).
- **Exchange Operator cert not in BEAST cert store:** If cert-based PowerShell connections are needed without `get-token.sh` (e.g., for interactive EXO sessions), the cert will need to be imported to the machine store. Not urgent — token flow works fine for bot-driven operations.
---
## Reference Information
- **Syncro customer ID:** 143932
- **EXO rule created:** `SCL Bypass - noreply@azcomputerguru.com (MailProtector digests)` — Priority 4
- **EXO PowerShell V2 deprecation note:** `Get-MessageTrace` deprecated Sept 1 2025; use `Get-MessageTraceV2` (no `-PageSize` parameter)
- **Vault:** `msp-tools/computerguru-exchange-operator.sops.yaml`
- **Token cache:** `/tmp/remediation-tool/82931e3c-de7a-4f74-87f7-fe714be1f160/exchange-op.jwt`
Reference in New Issue View Git Blame Copy Permalink