GitHubVerifyWise Home

Settings

Email services

VerifyWise supports multiple email service providers through a provider abstraction layer, enabling administrators to choose the most suitable email service for their organization. The system includes security enhancements such as TLS enforcement, input validation, and credential rotation for supported providers.

The email service includes:

  • Provider Abstraction: Factory pattern supporting 5 email providers

  • Security Features: TLS 1.2 enforcement, input validation, path traversal protection

  • Credential Management: Automatic rotation for AWS SES

  • Connection Management: Connection pooling and timeout configurations

  • Validation Engine: Enhanced email address validation with security checks

Quick start

All email configurations require these core environment variables:

EMAIL_PROVIDER=smtp                 # Choose: resend, smtp, exchange-online, exchange-onprem, amazon-ses
EMAIL_ID=[email protected]    # Must match verified domain in provider

Example setup

Here is an example setup for Resend.

EMAIL_PROVIDER=resend
EMAIL_ID=[email protected]
RESEND_API_KEY=re_your_development_api_key

Supported Email Providers

Provider
Use Case
Setup Complexity
Enterprise Ready

Exchange Online

Microsoft 365 organizations

Medium

On-Premises Exchange

Enterprise with self-hosted Exchange

High

Amazon SES

AWS-based deployments, High volume

Medium

Generic SMTP

Custom servers, Gmail, other providers

Medium

⚠️ Variable

Resend

Development, Small to medium teams

Low

Provider configurations

1. Resend (Recommended for development)

This setup is best for development, testing, small to medium deployments

EMAIL_PROVIDER=resend
[email protected]
RESEND_API_KEY=re_your_api_key_here

Setup Process:

  1. Sign up at resend.com

  2. Add and verify your domain

  3. Generate API key in dashboard

  4. Test with a simple email send

2. Exchange Online (Office 365)

EMAIL_PROVIDER=exchange-online
[email protected]
[email protected]
EXCHANGE_ONLINE_PASS="your-app-password-here"
EXCHANGE_ONLINE_TENANT_ID=your-tenant-id-optional  # Collected but not currently used

Setup Process:

  1. Create dedicated service account in Microsoft 365 admin center

  2. Enable modern authentication for the account

  3. Generate app password (this is not a regular password)

  4. Assign Exchange sending permissions

  5. Configure environment variables

App Password Generation:

  1. Go to Microsoft 365 admin center

  2. Navigate to Users → Active users → Select service account

  3. Security info → Add method → App password

  4. Use generated password (not account password)

3. On-Premises Exchange Server

EMAIL_PROVIDER=exchange-onprem
[email protected]
EXCHANGE_ONPREM_HOST=mail.yourcompany.com
EXCHANGE_ONPREM_PORT=587
EXCHANGE_ONPREM_USER=serviceaccount
EXCHANGE_ONPREM_PASS="service-account-password"
EXCHANGE_ONPREM_DOMAIN=YOURCOMPANY
EXCHANGE_ONPREM_SECURE=false

# Optional: Custom CA certificate support (with security validation)
EXCHANGE_ALLOW_SELF_SIGNED=false            # Allow self-signed certs in non-production
EXCHANGE_CUSTOM_CA_PATH=/etc/ssl/certs/company-ca.pem  # Path to custom CA certificate
EXCHANGE_CA_ALLOWED_DIR=/etc/ssl/certs       # Allowed directory for certificates

Setup Process:

  1. Create service account in Active Directory

  2. Grant "Send As" permissions in Exchange

  3. Configure Exchange to allow SMTP authentication

  4. Set up TLS certificates (recommended for production)

  5. Configure firewall rules for SMTP traffic

4. Amazon SES

EMAIL_PROVIDER=amazon-ses
[email protected]
AWS_SES_REGION=us-east-1
AWS_SES_ACCESS_KEY_ID=AKIA...
AWS_SES_SECRET_ACCESS_KEY=your-secret-key
AWS_SES_API_VERSION=2010-12-01

# Optional configurations
SES_CONFIGURATION_SET=your-configuration-set
AWS_CREDENTIAL_REFRESH_INTERVAL_MS=3600000  # 1 hour

Setup Process:

  1. Create AWS account and enable SES in chosen region

  2. Verify sending domain in SES console

  3. Request production access (removes sandbox limitations)

  4. Create IAM user with SES permissions

  5. Generate access keys for service account

Required IAM Permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ses:SendEmail",
                "ses:SendRawEmail",
                "ses:GetSendQuota"
            ],
            "Resource": "*"
        }
    ]
}

Credential Rotation: AWS SES provider supports automatic credential refresh every hour (configurable)

5. Generic SMTP

EMAIL_PROVIDER=smtp
[email protected]
SMTP_HOST=smtp.gmail.com
SMTP_PORT=587
[email protected]
SMTP_PASS="your-app-password"
SMTP_SECURE=false

Common Provider Settings:

Provider
Host
Port
Secure
Notes

Gmail

smtp.gmail.com

587

false

Requires app password

Outlook

smtp-mail.outlook.com

587

false

Use account password

Yahoo

smtp.mail.yahoo.com

587

false

Requires app password

Gmail Setup Example:

  1. Enable 2-factor authentication on Gmail account

  2. Generate app password (Security → App passwords)

  3. Use app password in SMTP_PASS (not account password)

Security Features

Implemented Security Enhancements

The email service includes several security features:

1. TLS Enforcement

  • Minimum TLS 1.2 enforced across all providers

  • Strong cipher suites: HIGH:!aNULL:!MD5:!3DES

  • Certificate validation in production environments

2. Input Validation & Sanitization

Enhanced email validation prevents common attacks:

// Examples of validation features
- Email format validation (RFC 5322 compliant)
- Header injection prevention (blocks \r\n characters)
- Dangerous character filtering (blocks <script>, javascript:, etc.)
- Length limits (320 chars for email, 998 for subject)
- Unicode homograph attack prevention (ASCII-only)

3. Path Traversal Protection

For on-premises Exchange with custom certificates:

  • Directory restrictions: Only allows files in specified directory

  • File extension validation: Only .pem, .crt, .cer allowed

  • Content validation: Verifies certificate format

  • Path resolution: Prevents ../ traversal attacks

4. Credential Management

  • AWS SES: Automatic credential rotation with configurable intervals

  • Environment-based: No hardcoded credentials in code

  • Validation: Startup configuration validation

5. Connection Security

  • Connection pooling: Efficient connection reuse (SMTP providers)

  • Timeout configurations: Prevents hanging connections

  • Retry logic: Built-in retry with exponential backoff

  • Rate limiting: Basic protection against abuse

Production Security Checklist

  • Use TLS encryption: Enable SECURE=true for production SMTP

  • App passwords: Use app passwords, not account passwords

  • Dedicated accounts: Create service-specific email accounts

  • Minimal permissions: Grant only necessary sending permissions

  • Environment variables: Store all credentials in env vars

  • Domain verification: Verify sending domains with providers

  • Certificate validation: Use proper certificates for on-premises setups

Testing Email Configuration

Test your configuration with the built-in validation:

# The system validates configuration on startup
# Check logs for configuration validation results

# Test basic connectivity
curl -X POST http://localhost:3000/api/test-email \
  -H "Content-Type: application/json" \
  -d '{"to": "[email protected]", "subject": "Test", "template": "test"}'

Example Migration: Resend to AWS SES

# Old configuration (Resend)
EMAIL_PROVIDER=resend
RESEND_API_KEY=re_old_key

# New configuration (AWS SES)
EMAIL_PROVIDER=amazon-ses
AWS_SES_REGION=us-east-1
AWS_SES_ACCESS_KEY_ID=AKIA...
AWS_SES_SECRET_ACCESS_KEY=secret_key

Slack Integration

Overview

VerifyWise integrates with Slack workspaces to deliver real-time notifications and alerts directly to your team's channels. The integration supports multiple workspaces, configurable notification routing, and both manual and scheduled notifications.

Our Slack integration uses OAuth 2.0 for secure, scoped access, then routes five notification types to the right channels with full multi-channel support. You get real-time alerts for system events, plus scheduled daily reminders powered by a job queue. It automatically detects and handles invalid or archived channels, and keeps everything locked down with encrypted credential storage and TLS.

Quick start

Prerequisites

Before setting up Slack integration, ensure you have:

  1. Slack Workspace: Admin access to create and configure apps

  2. VerifyWise Account: User account with appropriate permissions

  3. Environment Variables: Required configuration in .env

Basic setup

Configure environment variables: Add these to Servers/.env

# Encryption Settings
ENCRYPTION_ALGORITHM="aes-256-cbc"
ENCRYPTION_PASSWORD="aaaa bbbb cccc dddd"

# Slack OAuth Configuration
# Get these information from Slack App Settings
SLACK_URL=https://slack.com/oauth/v2/authorize
SLACK_API_URL=https://slack.com/api/oauth.v2.access
SLACK_CLIENT_ID=1234567890.1234567890
SLACK_CLIENT_SECRET=abcdef1234567890abcdef1234567890
SLACK_USER_OAUTH_TOKEN=xoxp-1234567890987654322345678
SLACK_BOT_TOKEN=xoxb-234567wsdfgbn76543345665445678954

# Redis (for job queue)
REDIS_HOST=127.0.0.1
REDIS_PORT=6379

And then add these to Clients/.env

# Slack Settings
VITE_SLACK_CLIENT_ID=1234567890.1234567890
VITE_SLACK_URL=https://slack.com/oauth/v2/authorize
VITE_IS_SLACK_VISIBLE=true

Now, create Slack App at https://api.slack.com/apps, configure OAuth scopes (detailed below) and add to workspace from VerifyWise settings.

Quick integration steps

  1. Navigate to Settings → Slack in VerifyWise

  2. Click "Add to Slack" button

  3. Select your workspace and authorize the app

  4. Choose a channel for notifications

  5. Configure notification routing (optional)

  6. Send a test message to verify connectivity

Features

Supported notification types

VerifyWise routes five types of notifications to Slack channels:

Notification Type
Description
Example Triggers

Membership and Roles

User additions, removals, role assignments, and team management changes

New user joined, Role changed to Admin

Projects and Organizations

Project creation, modifications, and organization linkages

New project created, Project linked to org

Policy Reminders and Status

Automated policy review reminders and compliance status updates

Policy review due in 7 days, Compliance updated

Evidence and Task Alerts

Evidence uploads, reviews, task assignments, and completions

Evidence uploaded, Task assigned to user

Control or Policy Changes

Updates to key controls or policies that affect compliance and risk posture

Control updated, Policy modified

Channel configuration

  • Multiple Channels: Connect multiple Slack channels from different workspaces

  • Flexible Routing: Send different notification types to different channels

  • Multi-Channel Routing: Route a single notification type to multiple channels

  • Channel Verification: Test connectivity with "Send Test" button

  • Auto-Deactivation: Automatically disable webhooks for archived/deleted channels

Scheduled notifications

VerifyWise sends automated notifications based on configured schedules:

  • Policy Due Soon Reminders: Daily at 9:00 AM UTC

  • Compliance Status Updates: Based on policy review dates

  • Background Processing: Queue-based system ensures reliable delivery

User guide

Adding a Slack integration

Step 1: Navigate to Settings

  • Go to Settings in VerifyWise

  • Click on Slack tab

Step 2: Authorize workspace

  • Click the "Add to Slack" button

  • Select your Slack workspace from the dropdown

  • Choose the channel where notifications will be sent

  • Click "Allow" to authorize VerifyWise

Step 3: Verify integration

  • Integration appears in the table with:

    • Team name (workspace)

    • Channel name

    • Creation date

    • Active status

  • Click "Send Test" to verify connectivity

Step 4: Configure notification routing (optional)

  • Click "Configure" button

  • For each notification type, select destination channel(s)

  • Click "Send Test" to verify routing

  • Click "Save Changes"

Notes:

  • A notification type can route to multiple channels

  • A channel can receive multiple notification types

  • Leaving a notification type empty means no routing for that type

  • Changes take effect immediately

Managing integrations

View all integrations

  • Table displays all connected workspaces and channels

  • Columns: Team Name, Channel, Creation Date, Active status, Actions

Deactivate integration

  • Integrations automatically deactivate if:

    • Channel is archived in Slack, is deleted or the bot is removed from channel

    • Status changes to "No" in Active column

    • No notifications sent to inactive integrations

Remove integration

  • Currently requires manual deletion from workspace

  • Contact system administrator

Slack app setup

Creating a Slack app

  1. Go to https://api.slack.com/apps

  2. Click "Create New App"

  3. Choose "From scratch"

  4. Enter app name: VerifyWise (or your preferred name)

  5. Select workspace: Choose development workspace

  6. Click "Create App"

Configuring OAuth & permissions

Step 1: Add redirect URLs

  1. Navigate to OAuth & Permissions

  2. Scroll to Redirect URLs

  3. Add development URL: http://localhost:3000/setting/?activeTab=slack

  4. Add production URL: https://your-domain.com/setting/?activeTab=slack

  5. Click "Save URLs"

Step 2: Configure bot token scopes

  1. Scroll to Scopes section

  2. Under Bot Token Scopes, click "Add an OAuth Scope"

  3. Add these scopes:

    • channels:read

    • channels:manage

    • chat:write

    • chat:write.public

    • groups:write

    • groups:read

    • im:read

    • mpim:read

Step 3: Configure user token scopes

  1. Under User Token Scopes, click "Add an OAuth Scope"

  2. Add these scopes:

    • channels:read

    • channels:write.invites

    • groups:read

    • groups:write.invites

    • channels:write

    • chat:write

    • im:read

    • mpim:read

Installing to workspace

  1. Navigate to Install App in left sidebar

  2. Click "Install to Workspace"

  3. Review permissions and click "Allow"

  4. Copy Bot User OAuth Token (starts with xoxb-)

  5. Copy Signing Secret from Basic Information

Retrieving credentials

Client ID & Secret:

  1. Navigate to Basic Information

  2. Scroll to App Credentials

  3. Copy Client ID → Add to SLACK_CLIENT_ID

  4. Click Show next to Client Secret → Copy → Add to SLACK_CLIENT_SECRET

OAuth URLs:

  • Authorization URL: https://slack.com/oauth/v2/authorizeSLACK_URL

  • Token URL: https://slack.com/api/oauth.v2.accessSLACK_API_URL

Enabling incoming webhooks

  1. Navigate to Incoming Webhooks

  2. Toggle Activate Incoming Webhooks to On

  3. This allows VerifyWise to send formatted messages

Enabling bots

  1. Navigate to App Home

  2. Under Your App's Presence in Slack:

    • Display Name: VerifyWise (or your preference)

    • Default Username: @verifywise

  3. Enable Always Show My Bot as Online

Environment configuration

Required environment variables

# Slack OAuth Configuration
SLACK_URL=https://slack.com/oauth/v2/authorize
SLACK_API_URL=https://slack.com/api/oauth.v2.access
SLACK_CLIENT_ID=1234567890.1234567890
SLACK_CLIENT_SECRET=abcdef1234567890abcdef1234567890

# Frontend Configuration
FRONTEND_URL=https://verifywise.com

# Database (PostgreSQL)
DATABASE_URL=postgresql://user:password@localhost:5432/verifywise

# Redis (for job queue)
REDIS_HOST=127.0.0.1
REDIS_PORT=6379

# Encryption (for sensitive data)
ENCRYPTION_KEY=<32-byte-hex-string>

Development vs production

Development:

FRONTEND_URL=http://localhost:3000
SLACK_CLIENT_ID=<dev-app-client-id>
SLACK_CLIENT_SECRET=<dev-app-client-secret>

Production:

FRONTEND_URL=https://verifywise.com
SLACK_CLIENT_ID=<prod-app-client-id>
SLACK_CLIENT_SECRET=<prod-app-client-secret>

Note: Use separate Slack apps for development and production environments, if required.

PreviousIncident managementNextRelease notes

Last updated

Was this helpful?