Infosec Scribbles

March 25, 2018

Ubuntu Update Notifications via SMTP Relay

One thing I really wanted to have on my server was the ability for system packages to send mail externally. This is useful for upgrade notifications or any kind of monitoring alerts that systems may emit. One the other hand, I have better things to do than worry about a private mail server. The solution I came up with is setting up postfix to act as an SMTP-relay, using an SMTP account at a third-party mail server for outgoing mail.

Step 1: Install postfix and mailutils

This is as simple as running

sudo apt install postfix mailutils

In the configuration prompt, select Internet Site - not that it really matters.

Step 2: Configure main.cf

Edit /etc/postfix/main.cf. Ensure myhostname, mydestination have your correct domain.

Tell postfix where the SMTP server is:

relayhost = [smtp.yourmailprovider.com]:465

Note that the square brackets are the correct syntax to use here. 465 is the default SMTP port for SSL connections - change as appropriate.

Set inet_interfaces to loopback-only to ensure that your postfix instance does not accept external connections.

Finally, add the following lines at the end to enable encryption of SMTP connections:

# SMTP Server auth settings
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd
smtp_use_tls = yes
smtp_tls_wrappermode = yes
smtp_tls_security_level = encrypt
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

Step 3: Set up authentication

In the previous step we told postfix to use /etc/postfix/sasl/passwd as the source of SMTP credentials. Time to populate that file with the credentials. The format here is:

[smtp.yourmailprovider.com]:465 smtp_username_here:smtp_password_here

Once you’ve added your credentials, generate the database:

cd /etc/postfix/sasl
sudo postmap passwd

You can now use the mail command to send emails from this host. They will be routed through the third party SMTP server that you’ve set up.

(Optional) Step 4: Set up unattended-upgrades notifications

First, add your email as an alias for root user. Edit /etc/aliases:

root: your@email.here

Save the changes and run sudo newaliases. This ensures that any mail sent to root user will be redirected to your actual mailbox.

Edit /etc/apt/apt.conf.d/50unattended-upgrades. Uncomment the line that reads

Unattended-Upgrade::Mail "root";

Save the changes and restart the unattended upgrades service:

sudo systemctl restart unattended-upgrades

Now you will receive summaries of unattended-upgrades from your server.