Here's how to setup your debian to update automatically

This page describes how to set up automatic security updates with unattended-upgrades and email notifications via msmtp on Debian Linux systems. [std](https://std.rocks/gnulinux_debian_auto_update.html)

apt update
apt install -y unattended-upgrades msmtp msmtp-mta mailutils
dpkg-reconfigure -plow unattended-upgrades

Notes: [freundschafter](https://freundschafter.com/how-to-set-up-msmtp-on-debian-to-use-a-mailhoster-with-smtp/)

• msmtp-mta provides /usr/sbin/sendmail so system mail (cron, unattended-upgrades, etc.) goes through msmtp.
• mailutils provides the mail CLI for quick tests.

Check that sendmail points to msmtp:

readlink -f /usr/sbin/sendmail
# should be /usr/bin/msmtp or a msmtp-mta symlink

Create /etc/msmtprc:

cat >/etc/msmtprc <<'EOF'
# Global msmtp config
 
defaults
auth           on
tls            on
tls_trust_file /etc/ssl/certs/ca-certificates.crt
logfile        /var/log/msmtp.log
 
account        default
host           smtp.yourdomain.tld
port           587
from           unattended@yourdomain.tld
user           user@yourdomain.tld
password       CHANGE_ME
EOF
 
chmod 600 /etc/msmtprc
touch /var/log/msmtp.log
chmod 640 /var/log/msmtp.log

Adjust: host, port, from, user, and password for your SMTP provider. [gist.github](https://gist.github.com/movd/7a9e3db63d076f85d16c7dcde62fe401)

For providers using SMTPS (465/SSL) instead of STARTTLS on 587, change:

• port 465
• keep tls on
• add tls_starttls off

Create /etc/msmtp-aliases:

cat >/etc/msmtp-aliases <<'EOF'
root:    user@yourdomain.tld
default: user@yourdomain.tld
EOF
 
chmod 600 /etc/msmtp-aliases

Add the aliases line inside /etc/msmtprc (in the account default block): [freundschafter](https://freundschafter.com/how-to-set-up-msmtp-on-debian-to-use-a-mailhoster-with-smtp/)

aliases /etc/msmtp-aliases

Create /etc/mail.rc:

cat >/etc/mail.rc <<'EOF'
set sendmail="/usr/bin/msmtp -t"
set from=unattended@fortier.it
EOF

echo "Hello from $(hostname)" | msmtp -d user@yourdomain.tld

If there is a problem, inspect:

tail -n 50 /var/log/msmtp.log

for SMTP / TLS / auth errors. [manpages.debian](https://manpages.debian.org/testing/msmtp/msmtp.1.en.html)

echo "Test via mail from $(hostname)" | mail -s "msmtp mail test $(hostname)" arnaud@fortier.it

If this arrives, the system-wide mail path is working.

Edit /etc/apt/apt.conf.d/50unattended-upgrades and make sure the following lines are present and not commented: [techlabs](https://techlabs.blog/categories/debian-linux/automatically-install-updates-using-unattended-upgrades-on-debian-11)

Unattended-Upgrade::Mail "user@yourdomain.tld";
Unattended-Upgrade::MailReport "always";

Typical Origins-Pattern for Debian 13 (adjust for Raspbian or other origins):

Unattended-Upgrade::Origins-Pattern {
        "origin=Debian,codename=${distro_codename},label=Debian";
        "origin=Debian,codename=${distro_codename}-security,label=Debian-Security";
        "origin=Debian,codename=${distro_codename}-updates,label=Debian";
};

Enable the standard apt timers: [exampleconfig](https://exampleconfig.com/default/apt/etc-systemd-apt-daily-upgrade-timer)

systemctl enable --now apt-daily.timer apt-daily-upgrade.timer

List timers:

systemctl list-timers 'apt-daily*'

You should see:

• apt-daily.timer
• apt-daily-upgrade.timer

with NEXT showing future times.

unattended-upgrades --dry-run --debug

At the end you should see lines similar to: [prezu](https://prezu.ca/post/unattended-upgrades-debian/)

• Sending mail to …
• mail returned: 0

A notification email should arrive even if there are:

• No packages found that can be upgraded unattended and no pending auto-removals

Trigger the same service that the timer calls:

systemctl start apt-daily-upgrade.service
journalctl -u apt-daily-upgrade.service -n 50

Then check the unattended-upgrades log:

tail -n 50 /var/log/unattended-upgrades/unattended-upgrades.log

You should see either:

• Packages that will be upgraded: … All upgrades installed
• or
• No packages found that can be upgraded unattended and no pending auto-removals

In both cases a mail report should have been sent. [std](https://std.rocks/gnulinux_debian_auto_update.html)

If something fails:

• Mail errors:

    tail -n 50 /var/log/msmtp.log
 

• Apt / unattended-upgrades errors:

    journalctl -u apt-daily-upgrade.service -n 50
 

1. Install:
   1. apt install unattended-upgrades msmtp msmtp-mta mailutils
2. Configure /etc/msmtprc (and optional /etc/msmtp-aliases, /etc/mail.rc); test with:
   1. echo test | msmtp -d you@example.com
   2. echo test | mail -s “test” you@example.com
3. Set in /etc/apt/apt.conf.d/50unattended-upgrades:
   1. Unattended-Upgrade::Mail “you@example.com”;
   2. Unattended-Upgrade::MailReport “always”;
4. Enable timers:
   1. systemctl enable –now apt-daily.timer apt-daily-upgrade.timer
5. Test unattended-upgrades:
   1. unattended-upgrades –dry-run –debug
   2. systemctl start apt-daily-upgrade.service

[techlabs](https://techlabs.blog/categories/debian-linux/automatically-install-updates-using-unattended-upgrades-on-debian-11)

apt-get install -y unattended-upgrades apt-listchanges mailutils postfix

vi /etc/apt/apt.conf.d/50unattended-upgrades

// Automatically upgrade packages from these (origin:archive) pairs
//
// Note that in Ubuntu security updates may pull in new dependencies
// from non-security sources (e.g. chromium). By allowing the release
// pocket these get automatically pulled in.
Unattended-Upgrade::Allowed-Origins {
        "${distro_id}:${distro_codename}";
        "${distro_id}:${distro_codename}-security";
        // Extended Security Maintenance; doesn't necessarily exist for
        // every release and this system may not have it installed, but if
        // available, the policy for updates is such that unattended-upgrades
        // should also install from here by default.
        //"${distro_id}ESMApps:${distro_codename}-apps-security";
        //"${distro_id}ESM:${distro_codename}-infra-security";
        "${distro_id}:${distro_codename}-updates";
        //"${distro_id}:${distro_codename}-proposed";
        //"${distro_id}:${distro_codename}-backports";
        "Docker:{distro_codename}";
};
// Send email to this address for problems or packages upgrades
// If empty or unset then no email is sent, make sure that you
// have a working mail setup on your system. A package that provides
// 'mailx' must be installed. E.g. "user@example.com"
Unattended-Upgrade::Mail "arnaud+XXXXXXXXX@fortier-family.com";
 
// Set this value to one of:
//    "always", "only-on-error" or "on-change"
// If this is not set, then any legacy MailOnlyOnError (boolean) value
// is used to chose between "only-on-error" and "on-change
Unattended-Upgrade::MailReport "on-change";
 
// Remove unused automatically installed kernel-related packages
// (kernel images, kernel headers and kernel version locked tools).
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";

Automate:

dpkg-reconfigure -plow unattended-upgrades

Mails:

dpkg-reconfigure postfix
systemctl reload postfix

Test:

unattended-upgrade -d

vi /etc/apt/apt.conf.d/20auto-upgrades

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

Daily check packages & upgrade

vi /etc/apt/apt.conf.d/50unattended-upgrades

...
Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-Time "02:00";
...

systemctl restart unattended-upgrades

 apt install msmtp msmtp-mta mailutils
vi /etc/msmtprc

defaults
auth           on
tls            on
tls_starttls   off
tls_trust_file /etc/ssl/certs/ca-certificates.crt
 
# SMTP server config 
account        default
host           mail.fortier-family.com
port           465
from           arnaud+SERV@fortier-family.com
user           arnaud@fortier-family.com
password       *********LOL***********

Test:

echo "Test mail from $(hostname)" | mail -s "Test subject" arnaud+srv1@fortier-family.com

Following https://bugs.kali.org/view.php?id=8587
Change in /etc/apt/apt.conf.d/50unattended-upgrades

//        "origin=Debian,codename=${distro_codename},label=Debian-Security";
//        "origin=Debian,codename=${distro_codename}-security,label=Debian-Security";
 
        "origin=Kali,codename=${distro_codename}";

A bug prevent SIGTERM to be sent properly to containers: https://bugs.launchpad.net/ubuntu/+source/docker.io-app/+bug/2079006 Let's make a service for that:

 vi /etc/systemd/system/docker-graceful-stop.service

[Unit]
Description=Gracefully stop Docker containers before system shutdown or reboot
DefaultDependencies=no
Before=shutdown.target reboot.target halt.target
Requires=docker.service
After=network.target docker.service
 
[Service]
Type=oneshot
ExecStart=/bin/true
ExecStop=/usr/bin/docker stop $(/usr/bin/docker ps -q)
RemainAfterExit=yes
TimeoutStopSec=300
 
[Install]
WantedBy=halt.target reboot.target shutdown.target

systemctl daemon-reload
systemctl enable docker-graceful-stop.service

As always it's not that simple…

systemctl list-timers apt-daily-upgrade.timer

systemctl edit apt-daily-upgrade.timer

[Timer]
OnCalendar=
OnCalendar=*-*-* 02:15
RandomizedDelaySec=0
Persistent=true

systemctl daemon-reload
systemctl restart apt-daily-upgrade.timer
systemctl list-timers apt-daily-upgrade.timer

Of course… if you haven't apt-update before…

systemctl edit apt-daily.timer

[Timer]
OnCalendar=
OnCalendar=*-*-* 01:45
RandomizedDelaySec=0
Persistent=true

systemctl daemon-reload
systemctl restart apt-daily.timer
systemctl list-timers apt-daily.timer

• https://wiki.debian.org/UnattendedUpgrades