Debian: unattended-upgrades – automatic upgrades installation with email notifications via AWS SES

By | 05/23/2019

A unattended-upgrades package performs automated upgrades installation on Debian/Ubuntu systems.

It’s a Python script (1500 lines) located at /usr/bin/unattended-upgrade (and /usr/bin/unattended-upgrades is a symlink to the /usr/bin/unattended-upgrade).

CentsOS/RHEL analog – yum-cron.

Install it:


$ sudo apt -y install unattended-upgrades


The main config file is /etc/apt/apt.conf.d/50unattended-upgrades where upgrade types, email settings etc can be configured.

Upgrades related schedules are done in the /etc/apt/apt.conf.d/20auto-upgrades file which can be created manually or using dpkg-reconfigure unattended-upgrades:


The /etc/apt/apt.conf.d/20auto-upgrades options:

  • APT::Periodic::Enable: enable/disable upgrades, 1 to enable, 0 to disable
  • APT::Periodic::Update-Package-Lists: in days – how often to run apt update, 0 to disable at all
  • APT::Periodic::Download-Upgradeable-Packages: in days – how often to run apt-get upgrade --download-only
  • APT::Periodic::Unattended-Upgrade: in days – how often to run apt upgrade
  • APT::Periodic::AutocleanInterval: in days – how often to run apt-get autoclean
  • APT::Periodic::Verbose: emails verbose settings:
    • 0 – disable at all
    • 1 – whole upgrade process
    • 2 – same as above + packages stdout
    • 3 – same as above + tracing



Unattended-Upgrade::Origins-Pattern describes repositories to be used for upgrades:

Unattended-Upgrade::Origins-Pattern {

The ${distro_codename} will be replaced with Debian codename, it’s stretch at this time.


Packages list to be ignored during upgrades:

Unattended-Upgrade::Package-Blacklist {


Delete unused packages with apt-get autoremove:

Unattended-Upgrade::Remove-Unused-Dependencies "true";


Most useful option – send an email notification after upgrades. Uses mail from mailutils package.

Unattended-Upgrade::Mail "[email protected]";


Unattended-Upgrade::Mail "root";


Send such notifications only if problems was found during upgrade:

Unattended-Upgrade::MailOnlyOnError "true";


Reboot server automatically if /var/run/reboot-required found:

Unattended-Upgrade::Automatic-Reboot "true";

Reboot will be done immediately after upgrade if no Automatic-Reboot-Time is set.


If Unattended-Upgrade::Automatic-Reboot is set to true – then Automatic-Reboot-Time cab be used to set time for reboots:

Unattended-Upgrade::Automatic-Reboot-Time "02:00";

Running unattended-upgrade

After everything is configured – you can execute it with dry-run to test:


root@bitwarden-production:/home/admin# unattended-upgrade -v -d --dry-run
Initial blacklisted packages: 
Initial whitelisted packages: 
Starting unattended upgrades script
Allowed origins are: ['origin=Debian,codename=stretch,label=Debian-Security']
pkgs that look like they should be upgraded: 
Fetched 0 B in 0s (0 B/s)                                                                                                                                                                                                            result: 0
blacklist: []
whitelist: []
No packages found that can be upgraded unattended and no pending auto-removals


And if any upgrades are available – install them:


root@bitwarden-production:/home/admin# unattended-upgrade -v -d


Email configuration

You can use local Exim (see. Exim: Mailing to remote domains not supported), but Gmail blocked IP of this host, so will use AWS SES here.

To send emails via AWS SES – install local SMTP client, for example ssmtp:


root@bitwarden-production:/home/admin# apt install mailutils ssmtp


Edit /etc/ssmtp/ssmtp.conf:

[email protected]


Configure Mail From for SSMTP – set a mailbox, which is configured in our AWS SES, otherwise will recieve “554 Message rejected: Email address is not verified” error.

Edit /etc/ssmtp/revaliases file:

root: [email protected]

Check email sending:


root@bitwarden-production:/home/admin# echo "Test" | mail -s "Test" [email protected]


Log if any can be found in the /var/log/unattended-upgrades/ directory.