All Products Community Forum

Hello,

I am writing this message in regards to Thunderbird's GPG support after v68, in the last hope that someone suggests a solution that moves me away from version 68. I consider the current state broken.

My PGP keys reside on a Yubikey, but smartcard usage has been broken after v68, as none of the supposedly correct setups work. It should work pretty much out of the box, but it doesn't. The whole idea of moving away from Enigmail without having a properly, fully implemented support, including for smartcards, or at least for working with GPG, was utterly misguided, IMO, and broke the once nice client.

I enabled gpg usage and fetching in Settings, I imported my pubkeys to Thunderbird's PGP manager, then added my external key (with GPG). Everything looks fine. But when I click an encrypted message, I get "The secret key that is required to decrypt this message is not avaliable". Nah, it's available and it's there! The pinentry isn't appearing at all and this is the result. I believe this is TB's fault, as the pinentry correctly appears with everything else I do, also with TB 68 + Enigmail. The setup is the same. I am using the latest Gpg4win.

Settings:

mail.openpgp.allow_external_gnupg - true mail.openpgp.fetch_pubkeys_from_gnupg - true mail.openpgp.alternative_gpg_path - has no effect whether set or not

gpg-agent.conf:

enable-win32-openssh-support default-cache-ttl-ssh 900 max-cache-ttl-ssh 1800 no-allow-external-cache default-cache-ttl 300 max-cache-ttl 3000 ignore-cache-for-signing allow-loopback-pinentry

gpg.conf:

utf8-strings auto-key-locate local use-agent

FYI, adding "pinentry-program" has no effect on solving the problem, whether set or not.

Your suggestions are welcome!

On my Linux machine, I exported the public key for an email address in Thunderbird 140.8.0esr (64-bit) into a file. I transferred the file to my Windows 11 machine via Warpinator.

On the Windows machine I am running Thunderbird 148.0.1 (64-bit). In Account settings>End-to-End encryption, I click Add Key>Import an existing OpenPGP key>Select File to import, and then I select the file.

I get an error message: Error! Failed to import file.

I'm surprised. I would think that going from one installation of Thunderbird to another would work this way. I am concerned that I won't be able to read incoming encrypted emails without the key working.

Can someone help me?

I receive a lot of Thunderbird messages with this text (in French) :

"Le certificat pour imap.gmail.com ne provient pas d’une source sûre."

What I have to do please Thnx

I installed thunderbird on my new Samsung A26. I tried to configure the imap connection for my email - provider is liwest.at - per their settings. the incoming mail check worked. but the outgoing mail check gives back the error "unable to parse tls packet header" I checked username and password multiple times and tried all versions of password authentication possibilities.

I googled the error but the only thing I could find was a possible mismatch in tls versions. I asked my provider about it - their customer service could not confirm with their technicians what version is in use but according to their documentation it should be tls 1.2

Running Thunderbird 140.8.0esr 64bit Windows 11 Home, v25H2 932GB storage 32GB ram i7-13700k

Recently, I've started getting the following message every time I launch Thunderbird: "The certificate for imap.googlemail.com does not come from a trusted source."

Digging into details I get: "you are about to override how Thunderbird identifies this site" "Location: imap.googlemail.com:993" "This site attempts to identify itself with invalid information" "Unknown Identity. The certificate is not trusted because it hasn't been verified as issued by a trusted authority using a secure signature."

Digging deeper into the certificate I find the issuer is Bitdefender who I use for antivirus and VPN. However, the VPN shows no effect when enabled or disabled. The validity period is 2 Feb 2026 to 27 Apr 2026

l can get email, but cant send it. Is Bitdefender at fault?

I'm stumped. What should I do???

DEUTSCH (English see below):

Hallo zudammen,

Konfiguration: - Window11 25H2 (aktuell) - Thunderbird Beta-6 (BuildID=20260213180051) - gpg2.5.17 (Gpg4Win 5.0.1); siehe auch: <https://www.gpg4win.de/>

Der bisherige und standarmärige Installationspfad von "Gpg4Win": "C:\Progam Diles (x86)\Gpg4Win\" wurde softwareseitig auf: "C:\Progam Diles\Gpg4Win\" geändert!

Bug 1967121 (Closed) => thunderbird148 --- fixed! <https://bugzilla.mozilla.org/show_bug.cgi?id=1967121>

Zur Zeit verfolge ich die Änderungen bezüglich der externen Schlüsselverwaltung in Thunderbird-Beta, da das Arbeiten mit externen Schlüsseln in der esr- und in der relesease-Version von Thunderbird seit der offiziellen Herausgabe von gpg2.5.x absolut nicht mehr möglich ist! Die geheimen Schlüssel für das Entschlüsseln und Signieren werden mit gpg2.5.x nicht mehr gefunden!

In der Schlüsselverwaltung von TB-Beta befinden sich meine öffentlichen Schlüssel und alle öffentlichen Schlüssel meiner Kommunikationspartner. Extern sind meine geheimen Schlüssel gelagert. Folgende Präferenz wurde aufgrund von gpg2.5.x hinzugefügt:

https://assets-prod.sumo.prod.webservices.mozgcp.net/media/uploads/images/2026-02-25-14-35-46-df59be.png

Allerdings erscheint nach all diesen Maßnahmen die Fehlermeldung: "The secret key that's required to decrypt this message is not availlable."

https://assets-prod.sumo.prod.webservices.mozgcp.net/media/uploads/images/2026-02-25-14-36-58-d8280e.png

Mit Herausgabe von Thunderbird/148.0 (release) sind dort die gleichen Probleme mit der externen Schlüsselverwaltung zu bepbachten!

Mit Versionen gpg < 2.5 funktioniert unter Windows alles problemlos!

UNTER LINUX haben hier Änderungen an der Präferenz: "mail.openpgp.load_untested_gpgme_version" nachweislich keinerlei Auswirkungen!

Was übersehe ich?

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

ENGLISH:

Hello,

Configuration: - Window11 25H2 (current status) - Thunderbird Beta-6 (BuildID=20260213180051) - gpg2.5.17 (Gpg4Win 5.0.1); see also: <https://www.gpg4win.de/>

The previous and default installation path of "Gpg4Win": "C:\Program Files (x86)\Gpg4Win\" has been changed by the software to: "C:\Program Files\Gpg4Win\"!

Bug 1967121 (Closed) => thunderbird148 --- fixed! <https://bugzilla.mozilla.org/show_bug.cgi?id=1967121>

At the moment, I’m following the changes regarding external key management in Thunderbird Beta, because working with external keys in the ESR and release versions of Thunderbird has become absolutely impossible since the official release of gpg 2.5.x! The secret keys required for decryption and signing are no longer found when using gpg 2.5.x!

In Thunderbird Beta’s key manager, my public keys and all public keys of my communication partners are present. My secret keys are stored externally. The following preference was added because of gpg 2.5.x:

https://assets-prod.sumo.prod.webservices.mozgcp.net/media/uploads/images/2026-02-25-14-35-46-df59be.png

However, even after all these measures, the following error message appears: **"The secret key that's required to decrypt this message is not available."**

https://assets-prod.sumo.prod.webservices.mozgcp.net/media/uploads/images/2026-02-25-14-36-58-d8280e.png

With the release of Thunderbird 148.0 (release), the same problems with external key management can be observed there as well!

With gpg versions **older than 2.5**, everything works flawlessly under Windows!

• • UNDER LINUX**, changes to the preference

"mail.openpgp.load_untested_gpgme_version" have demonstrably no effect at all!

What am I missing?

Thunderbird 140.7.0esr allows me to e-mail my OpenPGP public key to myself, but it doesn't seem to have any way for me to get access to my private key. I was wondering how to export keys? Thanks!

I am using a E-mail server that uses LetsEncrypt certificates. I was using Thunderbird 128 ESR without problems. When the certificate was updated, I was requested to confirm - then sending E-mails was possible. Now I have updated to Thunderbird 140 ESR. The E-Mail servers LetsEncrypt certificate was now updated but in Thunderbird I do not get any information about this, nor get I requested to check the new certificate. The SMTP connection just fails. The IMAP access to the E-mail server works fine. (IMAP and SMTP work both fine with K9-Mail on my mobile device)

How can I get Thunderbird to ask me again to check the updated certificate?

I'm using Thunderbird 140.5.0esr. I have a remote email server on a small "linode" and recently had to restore it from a backup.

When opening Thunderbird, I get the message "The certificate for adonax.com expired on 10/29/2025." I've been getting emails up to and including yesterday.

I ran the renewal program (sudo certbot renew) from the command line of my remote server, and was told the certificate did not need renewing. The "expiry date" is shown to be 2026, March 20 when having certbot display the certificate information.

So, there is some sort of disconnect happening in the communications between Thunderbird and the locations of the certificates on my server. I'm hoping for some advice as to how to trace the path. One possibility is that there is a location on my server that is used to connect to the certs and this is holding stale information due to the recent restore done for the remote server. Another is that maybe there is cached information or something else blocking the request from Thunderbird.

From Thunderbird, I am presented with a form "Add Security Exception". This indicates that thunderbird is contacting the location adonax.com:993. I checked the port from the server using UFW and it is open to all. The Thunderbird form however hangs when I hit the "Get Certificate" button, and clicking the "Confirm Security Exception" appears to do nothing. The button "View..." opens a tab with the expired certificate. All the information on the certificate that is displayed by Thunderbird looks good, matches what I have in terms of URLs, but the dates are wrong.

Is there perhaps something blocking thunderbird from using port 993? Is there a way to test that? If 993 is working, I will try to research what is going on there at the Ubuntu end. I tried putting adonax.com:993 in Chrome and got an ERR_UNSAFE_PORT, for what that is worth.

I have 4 emails in Thunderbird, one of those I also have on my phone, it is receiving mail, on my desktop, two of the emails have no email today, and two I have only one email, all should have 10 to 20 or more emails. I do have the emails on the website, but they are not loading onto Thunderbird. I get this message, "The certificate for imap.knology.net is not valid for the server. Someone could be trying to impersonate the server and you should not continue.

 Can you offer any help?

I have 2 emails provided by my ISP (knology), I have received no emails since 7:30 on 12/5, the are on the webmail site. The other 2 emails are gmail accounts they are working fine. I am getting a message, "The certificate for imap.knology.net is not valid for that server. Someone could be impersonating the server, you should not continue."

 The fact that the gmails work and knology does not work is a clue but I don't know what it means.

I have contacted my ISP and after 45 minutes they gave up and said they will escalate and get back to me,

with in a couple days! it was on a Saturday.
                                                         Thank you, Mike

Hello,

I have read this one https://support.mozilla.org/en-US/kb/openpgp-thunderbird-android-howto and I was aiming for additional detailed info on a specific step in the "Select an encryption key or create a new key" section.

From Thunderbird Desktop I can already send/receive encrypted emails from a specific email account and I have exported, on my laptop, my private and public keys as well as the public keys of some contacts.

On my Android phone I have Thunderbird for Android (version 14) already set up for the same email account and, in order to start using email encryption, I understood from the above link that I first need to install OpenKeychain and then, from the image in step 2 of "Select an encryption key or create a new key" and from the text of the subsequent step 3, that I'll need to choose "I already have a key. Import end-to-end key from other device" and then, if I got it right, try to find the keys which I exported on my laptop from Thunderbird Desktop.

Are there any precise details on how to find those exported keys and load them into OpenKeychain? Meaning, for instance, do I need to copy/paste the keys from my laptop into the archive of my Android phone and then direct Thunderbird/OpenKeychain to that location to pick them up?

Any type of details/links/docs/videos with respect to this, will be useful. As well as any explanations in case I understood wrongly and what I am trying to do is not the proper way to proceed.

Please note: I am not an expert.

Thank you

Best Regards

I generated a CSR file via the instructions at https://support.mozilla.org/en-US/kb/instructions-smime-certificate-using-csr#thunderbird:linux:tb145 . After submitting and receiving a certificate from a CA, importing it the People tab of the Certificate Manager does not do anything: nothing new appears in the Your Certificates tab.

Where are the private keys associated to the generated CSRs stored? How can I access them to resolve this?

Running 140.5.0esr via flatpak on Fedora 43 Kinoite.

Hello everyone,

I am using Firefox latest release (eg 145.0.1).

At https://developers.cloudflare.com/ssl/post-quantum-cryptography/pqc-support/ , it seems that X25519MLKEM768 is supported since Firefox 132. Do you confirm ?

I ask this question because when I am connecting to https://pq.cloudflareresearch.com/ and activate the network tab before reaching this URL, and looked at the security tab on the right bottom panel, as you can see in the screenshot attached, in the Exchange group keys, I see x25519 and not x25519mlkem768 meaning that Firefox is not PQC ready for key establishment :-(

Best Regards.

My e-mail provider has done the annual update of security and provided a new e-mail cert; however, Thunderbird no longer successfully updates it.

Thunderbid gets to the point of confirming the security exception; however, does not proceed.

This is using ThunderBird 140.4.0esr (64-bit) from Ubuntu Snap, on Ubuntu LTS 24.04.3.

I have several iterations of installing SMIME on my email account. I know the pf12 file is valid and it works on all my Android systems. However, when I try to send a digitally signed email on Thunderbird under Ubuntu, I get the message that either the SMIME certificate cannot be found or it has expired even though I went through the correct process to install it (and it shows up on the End to End Encryption settings) and when I display it, it indicates an expiry date of 2027. I have also tried to bundle it with the intermediate certificate but I still get the same error. I even tried to create my own personal SMIME certificate and use it (using SSL) and it had the same issue. Anyone have any suggestions?

This is the error I get: "Sending of the message failed. You specified that this message should be digitally signed, but the application either failed to find the signing certificate specified in your Mail & Newsgroup Account Settings, or the certificate has expired."

Do I need to put the SMIME certificate in a specific folder in order for it to be "re-found"

Hello,

I am moving over to Thunderbird from outlook. I have about 8 emails with two domains. First email works okay. The second one on the same domain has turned red on the left panel and thunderbird keeps poppoing up the certificate for mail.xxx.com is not valid for the server. The other works I added the exception when setting it up. The mail server is another domain used from my cpanel hosting provider. So it does not match the domain of the emails.

I can't seem to find a way around this to get it to work. Also I under account settings it looks correct. I am thinking this error message is the incoming mail server? I don't see under account setting anything for incoming mail server which on my hosting is the same for incoming and outgoing. Appreciate any help.

Thank you!

Over a month ago I began experiencing an error message when attempting to send emails from my gmail account using Thunderbird (TB). Error msg reads: Sending of the message failed. An error occurred while sending mail. The mail server responded: Must issue a STARTLS command first. For more information go to: https://support.google.com/a/answer/3221692 and review RFC 3207 specifications. 00721157ae682-765bb916a90sm38332507b3.4-gsmtp. Please verify that your email address is correct in your account settings and try again.***While I have looked at all of this, I can't really find a solution I know how to implement.***

I can send emails using Google webmail and when I do, the emails show up in my TB Sent items folder. I'm totally stumped and considering moving to Outlook. But TB has been perfect for me for years and I want to stay with it. Any help will be much appreciated!