20. Install Thunderbird and use it to encrypt/decrypt emails

by Double Bastion - Updated March 8, 2022

20.1. Install Thunderbird

The best free and open source standalone IMAP/POP3 client is Thunderbird, because of its features, usability and history. The big advantage of using a standalone email client installed on your main computer, is that you can connect all your email accounts, including the ones on mail servers that you configured by yourself as described in this guide, to one single application, so that you can check all your new emails in one central place. We will describe below how to install Thunderbird and configure it for email encryption.

To be able to encrypt emails, you will need GnuPG which is included in all major Linux distributions, so, you don’t need to install it.

To install Thunderbird in Debian and related Linux distributions, you can use the Synaptic Package Manager or the command line (apt-get install thunderbird).

Once you install Thunderbird, you can set a ‘Primary Password’ that you’ll have to enter once, each time you start Thunderbird: ‘Edit’ > ‘Preferences’ > ‘Privacy & Security’ > ‘Passwords’ > Check ‘Use a Primary Password’ > ‘Enter new password’.

To add to Thunderbird an email account that you created on your mail server, click on ‘File’ > ‘New’ > ‘Existing Mail Account’ > in the ‘Your full name’ field type the whole email address (Eg.: admin@example.com); in the ‘Email address’ field enter the whole email address again; in the ‘Password’ field enter the password for that email address, leave the ‘Remember password’ checkbox checked, then don’t click the ‘Continue’ button; instead click the ‘Configure Manually’ link, to be able to enter manually the correct connection details.

For IMAP and SMTP, the settings should look like the following:

IMAP
mail.example.com
993
SSL/TLS
Encrypted password
admin@example.com

SMTP
mail.example.com
587
STARTTLS
Encrypted password
admin@example.com

See below:

If you want to configure POP3 (instead of IMAP) and SMTP for an email account on the server, the settings should be:

POP3
mail.example.com
995
SSL/TLS
Encrypted password
admin@example.com

SMTP
mail.example.com
587
STARTTLS
Encrypted password
admin@example.com

See below:

It can happen that even after you enter the credentials correctly, Thunderbird may have trouble connecting, so, you will need to press ‘Re-test’ and ‘Done’ multiple times.

Obviously, if you have email accounts opened with public email providers, you can connect them to Thunderbird in a similar manner. You will just have to find the domains and ports of their IMAP/POP3 and SMTP servers, which they usually display on their official website. Please note that there are public email providers whose free email accounts can’t be connected to Thunderbird (like Protonmail). Only their paid accounts allow IMAP and SMTP connections with an email client like Thunderbird.

After adding a new existing email account to Thunderbird, you can right-click the name of the account on the left panel and after selecting ‘Settings’, the ‘Account Settings’ window will open. Here you can change many settings for the selected account. Please consider making the following changes:

– in ‘Junk Settings’, you can uncheck ‘Enable adaptive junk mail controls for this account’, because the email account you just added should already have spam filtering capability, so it’s not necessary to train Thunderbird to recognize spam emails and move them to the Junk folder.

– in ‘Synchronization and Storage’ you can uncheck ‘Keep messages in all folders for this account on this computer’, since for an IMAP connection, all the emails remain stored on the remote server anyway.

To enable encrypted passwords for the SMTP connection, go to ‘Edit’ > ‘Account Settings’ , scroll down on the left panel and click on the ‘Outgoing Server (SMTP)’, then click on the ‘admin@example.com – mail.example.com (Default)’ line, then click on ‘Edit’, and in the ‘Authentication method’ dropdown choose ‘Encrypted password’, then click ‘OK’ > ‘OK’.

Choose if the emails you send from Thunderbird will be sent by default in HTML or plain text format by going to ‘Edit’ > ‘Preferences’ > ‘Composition’ > under ‘HTML Style’ click on the ‘Send Options …’ button; if you want to send emails in the HTML format, uncheck the ‘Send messages as plain text if possible’ box and from the drop-down list under ‘When sending messages in HTML format and one or more recipients are not listed as being able to receive HTML’, choose ‘Send the message in both plain text and HTML’ > click ‘OK’. You can choose a font type, a font size and a font color for HTML emails in ‘Composition’ > ‘HTML Style’. To choose a text color uncheck “Use reader’s default colors”, then click on ‘Text Color’.

Please note that when you add email accounts for domains different from ‘example.com‘ hosted on your server, such as ‘secondsite.net‘, ‘thirdsite.info‘, etc., you have to enter the same server ‘mail.example.com‘ as the IMAP/POP3/SMTP server in the email account setup window shown above.

When you open Thunderbird you may be asked to confirm security exceptions for the domains stored on the server. This happens because the default SSL certificate for the mail server, set up in Dovecot, is issued for ‘mail.example.com‘, and Thunderbird sees that this domain is different from the domains of the individual accounts that are configured in Thunderbird (‘secondsite.net‘, ‘thirdsite.info‘, etc.). Click ‘Confirm’ and the popups will disappear.

After you install Thunderbird, it’s a good idea to go to ‘Edit’ > ‘Preferences’ > ‘Privacy & Security’ and to uncheck the ‘Allow Thunderbird to send technical data and interaction data to Mozilla’ option and the ‘Allow Thunderbird to send backlogged crash reports on your behalf’ option, to increase the level of privacy when using Thunderbird.

20.2. Configure Thunderbird for email encryption

In the past, if you wanted to use Thunderbird to encrypt/decrypt emails you needed to install an add-on called Enigmail. Now Enigmail is no longer needed because the encryption and decryption capabilities have been built into Thunderbird itself.

On the left panel, right-click on an email account for which you want to use encryption, select ‘Settings’, click on ‘End-To-End Encryption’ then under ‘OpenPGP’ click on the ‘Add Key’ button; in the new window check ‘Create a new OpenPGP Key’ and click ‘Continue’; in the new window, under ‘Key expiry’ choose ‘Key does not expire’ so that you won’t need to worry about what keys expire when. Of course, if you suspect that the private key has been compromised, you can always revoke the old key and generate a new key. Under ‘Advanced Settings’ you can also change the ‘Key type’ and ‘Key size’ for stronger encryption. Click ‘Generate key’, then click ‘Confirm’. After the key pair is generated, you should see the last part of the public key’s fingerprint in the ‘OpenPGP’ section, below ‘None’. Make sure that the radio button next to the new key is checked. If you don’t select anything in the ‘OpenPGP’ section or you select ‘None’, you won’t be able to send encrypted emails. In the same ‘OpenPGP’ section, if you click on the ‘OpenPGP Key Manager’ button, you will see a list with all the email addresses added to Thunderbird and their respective encryption Key IDs.

To be able to encrypt the emails that you send, you need two keys: a public key, which must be given to each of the recipients to which you want to send encrypted emails, and a private key which must be kept secret and not shared with anyone. If you go to ‘Tools’ > ‘OpenPGP Key Manager’, or click on the ‘OpenPGP Key Manager’ button in the ‘End-To-End Encryption’ section of each email account, you will see a list with all the email addresses added to Thunderbird and their respective Key IDs. The simplest way to send your public key to a recipient is to right-click on the email address whose public key you want to send, in this list of email addresses and Key IDs, then choose ‘Send Public Key(s) By Email’. A new email message window will be opened and the public key of that specific email account will be automatically attached to the new email, as an asc file. Enter the recipient’s email address in the ‘To’ field, enter a subject, write the message, then send it.

When you receive the public key of someone by email, first save it to your computer, then go to ‘Tools’ > ‘OpenPGP Key Manager’ > ‘File’ > ‘Import Public Key(s) From File’ > select the key that you have saved on your computer, then click ‘OK’, ‘OK’.

When you want to send an encrypted email to a recipient whose public key you have already imported in Thunderbird, you can write the email, then go to ‘Options’ and click on ‘Require Encryption’. It’s recommended to leave the ‘Digitally Sign This Message’ option checked, to also sign the new email in order to allow the recipient to verify the authenticity and integrity of the message. (The message will be first signed and then encrypted by Thunderbird. When sending encrypted messages, you could also first encrypt them and then sign them, but this is not recommended, because in this case the signature doesn’t prove that the sender approved the plaintext of the message). If you want to attach your public key to that email, you can also click on the ‘Attach my Public Key’ option, to check it. These options can also be chosen by clicking on the down arrow next to the ‘Security’ button, on the ‘Composition Toolbar’. Then write your email as any regular email and send it. The recipient will receive your encrypted email and if (s)he uses Thunderbird and has already imported your public key, the email text will be automatically decrypted and displayed as regular text. The same thing will happen if you receive an encrypted email from a sender whose public key you have already imported in Thunderbird: the text will be automatically decrypted and displayed as regular text.

If you want to see the encrypted text of an encrypted email, open the email, then go to ‘View’ > ‘Message Source’.

It’s worth noting that some encrypted emails that pass through Microsoft Exchange servers can get corrupted. They can be usually repaired in Thunderbird by pressing the ‘Repair’ button that will appear above the message.

20.3. Upgrading Thunderbird

To upgrade Thunderbird on Debian you can just run apt-get update && apt-get dist-upgrade about once a month. This command will upgrade Thunderbird if there is a new version available. Also, during these upgrades, the configuration changes implemented as described above, will be preserved.

You can send your questions and comments to: