How To Make Thunderbird More Secure
I have been a user of the desktop email client Mozilla Thunderbird for the past five or so years. In that time, I have modified the default settings and behavior of the client to make it more secure against attacks and other malicious activities and issues. This guide acts as an overview of what I have done in those years. Please note that while it makes your email client securer, it does not make the program invincible. Common sense is still one of the most powerful weapons in a computer user's arsenal.
I also have to say at this point that I'm not including add-ons in this guide. This guide only looks at the native options that Thunderbird offers. The majority of changes should also be applicable in other email programs.
1. Disable HTML messages
I get it. HTML messages look nicer. You can do all kinds of things with HTML messages that you cannot do with plain text messages. Plain text messages on the other hand only display textual contents and nothing else, which reduces the likelihood of exploits.
You find the setting under View > Message Body As > Plain Text.
2. Disable JavaScript
The developers have removed JavaScript in Thunderbird 3 for emails completely. There is no option to enable JavaScript for emails. JavaScript for RSS feeds is enabled on the other hand. Thunderbird users who do not use RSS or do not want JavaScript in their feeds can disable it the following way. Click on Tools > Options > Advanced tab > Config Editor to open the advanced configuration window.
Filter for the term JavaScript and double-click JavaScript.enabled to set it to false if it is set to true.
3. Use SSL
You should furthermore make sure that all of your email accounts use SSL connections to protect against snooping and eavesdropping. Click on Tools > Account settings, and there on the Server Settings listing underneath each email account.
Check the help pages or contact support if None is selected under Connection Security. You also need to click on Outgoing Server (SMTP) at the bottom of the listing to see if all outgoing servers are also using SSL for connections.
4. E-Mail Scams
Go to Tools > Options > Security > E-Mail Scams and make sure that Tell me if the message I'm reading is a suspected email scam is enabled. This basically checks back if the email is a known scam email and warns you if it is.
5. Master Password
If you are working on a multi-user PC or want to protect your email passwords from unauthorized access, you should consider setting a master password in the email client for that purpose. Anyone with access to the PC can look at all email usernames and passwords if they are not protected with a master password.
Click on Tools > Options > Security, and check the Use a master password box there to enable the option. You are then asked to enter a password which from that moment on will protect the password database from unauthorized access.
Thunderbird displays a form on start up that asks for that master password. The password quality meter visualizes the strength of the selected password.
6. Disable the preview pane
Thunderbird uses a layout with three panes by default. Email accounts and folders on the left, the email messages on the upper right, and the preview pane at the bottom right.
Email previews are automatically displayed when you select a message in the email client. You may want to disable that feature as it may be used for malicious purposes. Please note that this is unlikely, especially if you have disabled HTML messages and JavaScript.
The easiest way to disable the message preview pane is to press the F8 key on the keyboard. You can re-enable the pane easily with another tap on the same key.
7. Display All Headers
Email headers help you find out if an email is legit or fake. Thunderbird displays a compact version by default which cannot be used to verify an email address. You can enable full email headers with a click on View > Headers > All.
Please note that Thunderbird limits the space available for email headers on its page. You can scroll the page by holding down the left mouse button and moving the scroll wheel up or down.
Closing Words
Add-ons can furthermore improve security but that's outside of the scope of this guide. Let me know if you are interested in a list of security related add-ons for the Thunderbird email client.
Have additional tips you'd like to share? Let me know in the comments.
Advertisement
I just got redirected to spam site in my browser after I started to fill up some quiz form in e-mail, googled their site and yes, they are doing those scumbag marketing trick. Didn’t even know thunderbird actually supports e-mail, and that is really stupid. NO legit emails would ever contain JS, but scammers may use it to their advantage.
I enjoyed your Thunderbird info. Will you send me a list of security related add-ons for the Thunderbird email client. Also…Will I have to change my DNS server settings? What is your opinion on setting up a email server to your home PC?
Thank You,
AL
I recently just started using Thunderbird, and one thing I notice is that when I set Message Body as Plain Text, it also renders my Feed Summaries as plain text, even if I set Feed Message Body as Original HTML or Simple HTML. Is there a way to set different settings for mail and RSS feeds? I want my mails in plain text and my feeds in summary view with html so I can see the images. :(
I would love to see a more expansive article on best practices for using Thunderbird. I am currently investigating moving my email accounts to a desktop client and Thunderbird is on my short list. Great articles here on ghacks, I have been spreading the word. :)
re: 5. Master Password
Minor message viewing protection can be added with the following about:config preference if a master password is already set:
name: mail.password_protect_local_cache
type: boolean
value: true
If set to true, the master password is required at thunderbird startup to view messages.
This prevents other users from reading messages directly through thunderbird. This method will not prevent reading messages directly from within the thunderbird profile folder.
Do you still believe that disabling HTML is necessary if you don’t allow remote content to be displayed automatically/by default?
Hi,
I’d love to see a list of security related add-ons.
btw allow html temp is a nice addon, that allows you to enable html temporarily for the actually watched email. it is very useful, if one has disabled html (like suggested in this text)
https://addons.mozilla.org/de/thunderbird/addon/allow-html-temp/
very good text. I hope to see more articles on this subject.
Hi Martin – this is a great post about keeping Thunderbird secure. I am planning on switching from Gmail to Thunderbird real soon and since security is a top priority mine, this will ease my transition. I wouldn’t mind seeing a post in the future about security based add-ons for Thunderbird. Thanks!