Skip to content

Set up updates notifications on Debian

When you start to manage several pc/server/vm running under linux you encounter one major problem.

It is the management of the updates.

With this howto we'll see how to set up our system to send an email when the updates are available.

As explained above we want to receive an email when updates are available, to do that it is necessary to have a SMTP server. The SMTP is an protocol to transfert emails.

A little reminder of the terminology to clean your spirit

  • MTA – Mail Transfer Agent provided by Sendmail, Postfix
  • MDA – Mail Delivery Agent provided by Procmail
  • MUA – Mail User Agent provided by Outlook, Thunderbird
  • SMTP – Simple Mail Transfer Protocol provided by Sendmail, Postfix
  • POP3 – Post Office Protocol 3 provided by Dovecot
  • IMAP – Internet Message Access Protocol provided by Dovecot

In our case we'll choose postfix as SMTP relay.

Postfix as SMTP relay

First we install postfix

apt install -y postfix mailutils

During the process you can choose to configure manualy later (or website if you have a domain to send your email).

We check if the service is running by typing on the terminal service postfix status or systemctl status postfix. He will return something like that


Set up Postfix

Before to change the settings we save our postfix config file by typing cp /etc/postfix/ /etc/postfix/

Below, my as example

# See /usr/share/postfix/ for a commented, more complete version

# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# See -- default to 2 on
# fresh installs.
compatibility_level = 2

# TLS parameters
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname =
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $myhostname, localhost
relayhost =
mynetworks = [::ffff:]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all

To test if it works type on your terminal echo "Test of postfix configuration" | mail -s "My subject"

Verify your mail box you have a new email !

SMTP relay with SSL/TLS

If you have the obligation or if you prefer you can use an external SMTP server and configure postfix as SMTP relay.

To do that go to modify /etc/postfix/

# Change
relayhost =

# By
relayhost = []:587

After that you must add these lines

smtp_sasl_auth_enable = yes
smtpd_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtp_sasl_mechanism_filter = login, plain

We create the sasl_passwd who will contain our informations to login in our mailbox

touch /etc/postfix/sasl_passwd

Inside we add this line

Now go to secure and create our database

chmod 0600 /etc/postfix/sasl_passwd && postmap /etc/postfix/sasl_passwd

# Verify if the file works fine
postfix check

# and restart the service
systemctl postfix restart

As showed above you can use the command line below to verify if postfix works.

echo "Your Message" | mail -s "Mail subject"

About apticron

Apticron is a simple script which sends daily emails about pending package updates such as security updates, properly handling packages on hold both by dselect and aptitude.

Installation & set up apticron

Now we have a SMTP server installed we can install apticron.

apt install -y apticron

And you can set up your /etc/apticron/apticron.conf like below

# apticron.conf
# set EMAIL to a space separated list of addresses which will be notified of
# impending updates

# Set DIFF_ONLY to "1" to only output the difference of the current run
# compared to the last run (ie. only new upgrades since the last run). If there
# are no differences, no output/email will be generated. By default, apticron
# will output everything that needs to be upgraded.

# Set LISTCHANGES_PROFILE if you would like apticron to invoke apt-listchanges
# with the --profile option. You should add a corresponding profile to
# /etc/apt/listchanges.conf

# From hostname manpage: "Displays  all FQDNs of the machine. This option
# enumerates all configured network addresses on all configured network inter‐
# faces, and translates them to DNS domain names. Addresses that cannot be
# translated (i.e. because they do not have an appro‐ priate  reverse DNS
# entry) are skipped. Note that different addresses may resolve to the same
# name, therefore the output may contain duplicate entries. Do not make any
# assumptions about the order of the output."

# Set SYSTEM if you would like apticron to use something other than the output
# of "hostname -f" for the system name in the mails it generates. This option
# overrides the ALL_FQDNS above.

# Set IPADDRESSNUM if you would like to configure the maximal number of IP
# addresses apticron displays. The default is to display 1 address of each
# family type (inet, inet6), if available.

# Set IPADDRESSES to a whitespace separated list of reachable addresses for
# this system. By default, apticron will try to work these out using the
# "ip" command
# IPADDRESSES=" 2001:db8:1:2:3::1"

# Set NOTIFY_HOLDS="0" if you don't want to be notified about new versions of
# packages on hold in your system. The default behavior is downloading and
# listing them as any other package.

# Set NOTIFY_NEW="0" if you don't want to be notified about packages which
# are not installed in your system. Yes, it's possible! There are some issues
# related to systems which have mixed stable/unstable sources. In these cases
# apt-get will consider for example that packages with "Priority:
# required"/"Essential: yes" in unstable but not in stable should be installed,
# so they will be listed in dist-upgrade output. Please take a look at

# Set NOTIFY_NO_UPDATES="0" if you don't want to be notified when there is no
# new versions. Set to 1 could assure you that apticron works well.

# Set CUSTOM_SUBJECT if you want to replace the default subject used in
# the notification e-mails. This may help filtering/sorting client-side e-mail.
# If you want to use internal vars please use single quotes here. Ex:
# $CUSTOM_SUBJECT='[apticron] $SYSTEM: $NUM_PACKAGES package update(s)'

# Set CUSTOM_NO_UPDATES_SUBJECT if you want to replace the default subject used
# in the no update notification e-mails. This may help filtering/sorting
# client-side e-mail.
# If you want to use internal vars please use single quotes here. Ex:
# $CUSTOM_NO_UPDATES_SUBJECT='[apticron] $SYSTEM: no updates'

# Set CUSTOM_FROM if you want to replace the default sender by changing the
# 'From:' field used in the notification e-mails. Your default sender will
# be something like root@chat.

It is simple just change value for MAIL and CUSTOM_FROM, when it is done you can test if apticron works fine by typing /usr/sbin/apticron.

Check your log to see if everything works fine

tail -30 /var/log/mail.log

Schedule the verification

You can set up apticron to launch the verification every day at the same hour.

At the base apticron have already create his own cron task under /etc/cron.d/apticron.

You can delete it or change the our of the launching.

In my case I have edit the crontab of my root user to add

# Every night at 2H he launch apticron
00 2 * * * /usr/sbin/apticron

And I have delete /etc/cron.d/apticron.

In fact it is unecessary because the initial cronjob works fine, keep it !


Now you can receive a status of avaibility of updates on your different Debian/Ubuntu system.