azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d4eb8358ce88f66d65abf5f417d7a1ea06aec1e3
claudetools/wiki/clients/quantumwms.md
Mike Swanson c7e5dfc673 sync: auto-sync from GURU-5070 at 2026-05-26 15:58:46 
Author: Mike Swanson
Machine: GURU-5070
Timestamp: 2026-05-26 15:58:46
2026-05-26 15:58:50 -07:00

7.0 KiB
Raw Blame History

title, slug, type, project_key, last_updated
title slug type project_key last_updated
Quantum WMS quantumwms client clients/quantumwms 2026-05-26

Quantum WMS

Overview

Field Value
Company Quantum WMS
Primary domain quantumwms.com
Personal domain sheilaperess.com
M365 tenant NETORGFT2570783.onmicrosoft.com / 8f7eaff4-f913-4d3f-b8b9-92e695d987c6
GoDaddy admin plan@johnvelez.com (John Velez) — ACG has delegate access
Project key clients/quantumwms

Contacts

Name Role Notes
John Velez Primary / M365 global admin plan@johnvelez.com; GoDaddy account owner for both domains
Sheila Peress Owner/principal sheilaperess.com personal domain; compliance decision-maker; final say on license tier

Current Email Infrastructure

  • Registrar: GoDaddy (quantumwms.com + sheilaperess.com) — ACG has delegate access
  • DNS: GoDaddy DomainControl (NS03/NS04.DOMAINCONTROL.COM) — no DNSSEC
  • Mail routing: Intermedia hosted Exchange — exch090.serverdata.net cluster (east/west)
    • IP: 64.78.25.106 (Intermedia data center)
    • Autodiscover: ar-east.exch090.serverdata.net
    • This is Exchange Server software hosted by Intermedia, NOT Exchange Online
  • Intermedia setup: Appears hybrid on-premises Exchange — carries full Exchange Server CVE exposure

DNS / Email Security Gaps (CRITICAL)

Record Status Impact
DMARC MISSING Anyone can spoof @quantumwms.com with no enforcement
SPF TWO RECORDS (misconfiguration) RFC 7208 allows only one; causes unpredictable SPF evaluation and deliverability failures
DKIM Not found on standard selectors Outbound mail not cryptographically signed
DNSSEC Not signed Domain hijack risk

SPF records found (conflict):

  1. v=spf1 include:spf.intermedia.net -all
  2. v=spf1 include:_spf-usg1.ppe-hosted.com include:secureserver.net ~all

M365 Tenant (GoDaddy/johnvelez.com)

  • Tenant created: 2016-12-05 (GoDaddy-provisioned)
  • onmicrosoft domain: NETORGFT2570783.onmicrosoft.com
  • quantumwms.com is NOT a verified domain in this tenant — email runs entirely through Intermedia
  • Remediation app consent: Tenant Admin tier consented by John (plan@johnvelez.com) 2026-05-26

Users

UPN Display Licenses Notes
plan@johnvelez.com John Velez O365 Business Essentials + Flow Free Active — no desktop Office apps
admin@NETORGFT2570783.onmicrosoft.com johnvelez.com None GoDaddy admin account
john__quantumwms.com@NETORGFT2570783.onmicrosoft.com john@quantumwms.com None Shell account, no mailbox, created 2026-03-16
migrationapp@NETORGFT2570783.onmicrosoft.com SkyKick Inc. None Old 2016 migration app account

Consent URL (Tenant Admin tier)

https://login.microsoftonline.com/8f7eaff4-f913-4d3f-b8b9-92e695d987c6/adminconsent?client_id=709e6eed-0711-4875-9c44-2d3518c47063&redirect_uri=https://azcomputerguru.com&prompt=consent

Post-consent onboard command:

bash onboard-tenant.sh 8f7eaff4-f913-4d3f-b8b9-92e695d987c6

Compliance Context: Broker/Dealer Requirements

John and Sheila believe Intermedia is mandated by their Broker/Dealer. This is almost certainly incorrect.

What SEC Rule 17a-4 / FINRA Rule 4511 actually require

  • Electronic communication retention (3 years accessible, 6 years total for most records)
  • Non-rewritable, non-erasable (WORM-compliant) archiving
  • Supervisory review capability
  • Ability to produce records on regulatory demand

What they do NOT require

  • Intermedia specifically
  • Any named third-party vendor
  • Exchange Server or hosted Exchange

Microsoft 365 satisfies all FINRA/17a-4 requirements

Microsoft Purview (included in Business Premium) provides WORM-compliant archiving with a CFTC/SEC 17a-4 compliance attestation from Cohasset Associates. The majority of FINRA-registered broker/dealers run on Exchange Online. FINRA has published guidance explicitly endorsing cloud-based recordkeeping.

Action item (BLOCKER)

Sheila has been asked to produce written policy from the Broker/Dealer that explicitly names Intermedia as the required platform. This policy is expected not to exist — the B/D policy will require compliant archiving, not a specific vendor. Resolution expected before meeting 2026-05-27 14:00.

Recommended Architecture: M365 Business Premium + Mailprotector

License Plan

Account License Domain
John (firm) M365 Business Premium quantumwms.com
Sheila (firm) M365 Business Premium quantumwms.com
Sheila (personal) Exchange Online Plan 1 sheilaperess.com
Others TBD Exchange Online Plan 1 TBD

What Business Premium provides over Intermedia

Capability Intermedia Hosted Exchange M365 Business Premium
Email Exchange Server (hosted) Exchange Online (Microsoft cloud)
Exchange CVE exposure YES — full Server CVE surface No — Microsoft patches same-day
Spam/malware filtering Basic Defender for Office 365 Plan 1 (Safe Links, Safe Attachments)
Frontend filtering None Mailprotector (ACG-managed)
MFA enforcement Manual Entra ID P1 — Conditional Access
FINRA archiving Intermedia archiver (extra cost) Microsoft Purview — included
Desktop Office apps No Yes (Word, Excel, Outlook, etc.)
Mobile device management No Intune — included
DMARC/DKIM setup Not managed ACG-managed during migration

Migration Steps

  1. [DONE] Get consent from John (2026-05-26)
  2. Obtain written B/D compliance policy from Sheila — confirm no Intermedia mandate
  3. Add quantumwms.com as verified domain to johnvelez.com tenant
  4. Purchase 2x Business Premium (direct or ACG CSP)
  5. Create firm mailboxes (john@quantumwms.com, sheila@quantumwms.com)
  6. Assign Business Premium licenses
  7. Set up Mailprotector frontend for quantumwms.com
  8. Configure DMARC, fix SPF (single record), configure DKIM
  9. Cut MX from Intermedia → Exchange Online
  10. Migrate existing mail from Intermedia → Exchange Online
  11. Activate Office apps on their machines
  12. Cancel Intermedia after cutover confirmed
  13. Move DNS (quantumwms.com + sheilaperess.com) to Cloudflare
  14. Purchase Exchange Online Plan 1 for personal domain accounts
  15. Cancel GoDaddy email hosting per account as each migrates

GoDaddy Decoupling Plan

  • DNS: move both domains to Cloudflare (transfer locks must be removed in GoDaddy first)
  • M365 licensing: swap GoDaddy-resold O365 Business Essentials → Business Premium
  • Intermedia: cancel after mail cutover confirmed

Open Items

  • BLOCKER: Sheila to produce B/D written policy on email compliance requirements (due 2026-05-27 14:00)
  • Sheila to confirm: sheilaperess.com Exchange Online Plan 1 only vs. Business Basic upgrade
  • Determine additional personal domain accounts beyond sheilaperess.com
  • DNS cutover timing for both domains
  • Confirm whether SkyKick migration app account (2016) can be deleted
Reference in New Issue View Git Blame Copy Permalink