GNU/Linux Automatic Security updates with cron-apt and e-mail notifications (msmtp)

Everytime I build a new server one of the feature that I immediately configure is to install security update automatically for the Operating System and installed pakckages. In Debian you can configure automatic updates thanks to cron-apt.

I love to use cron-apt in conjunction with e-mail notifications. Every time the apt update/upgrade is launched via cron-apt I want to receive an e-mail with information about what package is available to install and what security updates have been installed (if any).

What we need to install to achieve the above is:

apt update && apt install cron-apt msmtp

In case the above command will also install sendmail, you can definitely proceed to remove it with all related packages. We do not want to run an entire Mail Server just to send few emails from cron-apt. That is why we installed msmtp too, it will be working as smtp client to send emails via a relayhost (like our standard mail provider).

We first start with the configuration of cron-apt. Critical to understand is that configuration of cron-apt relies on 1 file and 2 directories:

/etc/cron-apt/config
/etc/cron-apt/config.d/
/etc/cron-apt/action.d/

In the mentioned first file above (config) we will inform cron-apt that we want to receive email notifications. We can immediately do so adding the following 2 directives:

MAILON="output"
MAILTO="your_email@your_provider.com"

MAILON can be set to following values: error, upgrade, changes, output, always, never. In my case I will use output to get the details I want every time cron-apt is called. MAILTO is set by default to local root user, unless we specify a different address like I did.

For the sake of simplicity, let’s go straight into the configuration of the security updates.

If you see the content of the directory /etc/cron-apt/action.d you will notice that there are 3 files, all of them start with a number:

# ls /etc/cron-apt/action.d/
0-update 3-download 5-security

If you open them the content is self-explanatory. To go ahead with download and install of security updates for debian, we need to create a file in /etc/cron-apt/config.d and let’s call it 5-security exactly as we have in directory /etc/cron-apt/action.d. The content of the file will tell cron-apt to download the list of the packages of the security sources and update them straight away. Let’s then add the following into the file (in one single line):

OPTIONS="-o quiet=1 -o APT::Get::List-Cleanup=false -o Dir::Etc::SourceList=/etc/apt/sources.list.d/security.list -o Dir::Etc::SourceParts=\"/dev/null\""

We now want to move the apt configuration links of the security repositories from the standard one (/etc/apt/sources.list) to the new file mentioned in the configuration above:

/etc/apt/sources.list.d/security.list

Let’s then comment the deb source from /etc/apt/sources.list like this:

#deb http://security.debian.org/debian-security buster/updates main
#deb-src http://security.debian.org/debian-security buster/updates main

and add the two repository to the file /etc/apt/sources.list.d/security.list:

 deb http://security.debian.org/debian-security buster/updates main
 deb-src http://security.debian.org/debian-security buster/updates main

You can now try to run apt update and check that the command does not give you errors.

By default apt-cron will run every day at 4AM. If you want to change this behavior you can modify the file:

/etc/cron.d/cron-apt

Last step is to configure msmtp in order to have e-mail notifications. The only file we will create and work with is in the root home directory: ~/.msmtprc

We can follow the example provided here for the configuration but I will anyway report my own for simplicity:

# Set default values for all following accounts.
defaults
port 587
tls on
tls_trust_file /etc/ssl/certs/ca-certificates.crt
logfile        ~/.msmtp.log
#My e-mail account
account <your_account_name> host <smtp.youraccount.com> from <your_user@youraccount.com>
auth on
user <user>
passwordeval gpg --no-tty -q -d ~/.msmtp-Your_account_name.gpg

# Set a default account
account default : <your_account_name>

Let me just highlight that you will notice the use of gpg here in the configuration file (passwordeval). This is because we would like to avoid to save the email password in a text file and luckily enough msmtp allows us to leverage gpg to store our password instead of clear text. In order to leverage such possibility it is critical that the e-mail user has a valid GPG key already prepared and retrievable from the server we are working on. If this is the case then let’s save our email password encrypted 🙂 From the terminal run:

gpg --encrypt -o .msmtp-Your_account_name.gpg -r your_user@youraccount.com -

You will be asked for a password (that is your email password), type it with care and you are done!

If you do not want to work with GPG keys and encryption, you can still save the password in clear text. Simply change from the file .msmtprc the value passwordeval with:

password <clear_text_Password>

Then, do not forget to change the file permission to 600:

chmod 600 ~/.msmtprc

Let’s just try if it works. Again from termianl type:

msmtp recipient@example.org

Type your message and hit CTRL+D to send it. If all went fine (you can check in your log files in ~/.msmtp.log) the recipient will receive your email and you can now be sure that cron-apt will notify you about new updates!

There is one last step to do in order to have cron-apt to correctly send e-mails. By default it will indeed search for sendmail binaries which are not there anymore if you install msmtp without sendmail (like I suggested at the very beginning). We have to create a symbolic link:

ln -s /usr/bin/msmtp /usr/bin/sendmail

Once that is done you can try if emails are sent by cron-apt with command:

cron-apt /etc/cron-apt/config

If all went fine you should get the command line back and confirm the email was sent looking at log file you configured in msmtprc.

Related Post

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.