Thunderbird Community Forum

I have tried using s/mime encrytpion for the first time. I have created 3 different accounts using the same CA on 3 different devices. All three can communicate with each other using the s/mine encryption. I used multiple methods - sending a signed email first and then encrypted+signed, creating a .pem file with public key - importing it in Manage certificates/people and sending an encrypted+signed email. Sending an encrypted email from-to the same address also works. What I can't seem to be able to do is use any other public keys. I have a list of companies and their keys, but whether I use a file downloaded from their site or copy the key to txt and then make a .pem file out of it, as I did with my addresses, I can't send an email that is both encrypted and signed. I get "end-to-end encryption requires resolving certificate issues for ..." and the recipient status "not found". They specifically don't want to send a signature first and then encrypted+signed, and I am stuck trying to figure out what I am doing wrong. Any help is greatly appreciated.

Server Posteingang IMAP (empfohlen) imap.vodafonemail.de Ports für Posteingang IMAP SSL: 993 / TLS: 143

Server Postausgang SMTP smtp.vodafonemail.de Ports für Postausgang SSL: 465 / TLS: 25 oder 587

When adding a new email account, the built-in web browser launches and displays the OAuth screen. To verify the security of the destination site, I want to click the green lock icon in the URL bar to check the details, but I can’t click it.

Does a green lock icon mean a secure connection has been established?

Every time I launch Thunderbird Beta 151.0b1 on Arch Linux, I immediately get a notification saying "The certificate for imap.gmail.com does not come from a trusted source." If I click through to the exception dialog, it shows "No Information Available / Unable to obtain identification status for this site" — it can't even fetch the certificate to show me what's wrong with it. The error only appears on launch and doesn't come back. Mail sends and receives fine.

From the terminal, openssl connects to imap.gmail.com:993 without any issue (Verify return code: 0, TLS 1.3, X25519MLKEM768). No antivirus, no VPN, no TLS-intercepting software. NSS 3.123.

Has anyone else seen this? Is this a known Beta issue?

Dear all,

When receiving signed AND encrypted mails from an Outlook-account I get the exclamation sign for the signature.

The message is (German) : "Digitale Signatur ist ungültig Diese Nachricht enthält eine digitale Signatur, die aber ungültig ist. Die Nachricht wurde mit einer Verschlüsselungsstärke signiert, die von dieser Version Ihrer Software nicht unterstützt wird. Signiert von...."

I already did all standard checks (trusted, new hash algorithm and so on),

Now I would like to know the EXACT reason why Thunderbird is not accepting the digital signature. How can I accomplish this?

THX in advance and best regards!

2026-04-25 SAT 14:45 BST I have boujht a DigiCert S/MIME Class 1 certificate from thesslstore, but I have not yet got it. They sent me 3 .crt files, but I have not understood how to use them. I hope someone can explain the problem and/or suggest what I can do about it please ? I do not remember having this sort of problem in previous years.

Am receiving a message reading-

The certificate for imap.gmail.com does not come from a trusted source.

Dzień dobry, podczas tworzenia wiadomości i próbie zapisania jej na później, otrzymuję komunikat:

Ostrzeżenie Błąd podczas zapisywania szkicu - W Twojej bazie kluczy nie można odnaleźć identyfikatora klucza „0xD3ADE4868E262032”.

Nie potrafię tego naprawić. System iOS na Mac.

Proszę o wsparcie.

Pozdrawiam

Why do I suddenly (from one day to another) receive the message: "Das Zertifikat für imap.gmail.com stammt nicht von einer vertrauenswürdigen Quelle."

when trying to downlowd messages from Gmail?

I have not changed anything at all.

Hello,

I am writing this message in regards to Thunderbird's GPG support after v68, in the last hope that someone suggests a solution that moves me away from version 68. I consider the current state broken.

My PGP keys reside on a Yubikey, but smartcard usage has been broken after v68, as none of the supposedly correct setups work. It should work pretty much out of the box, but it doesn't. The whole idea of moving away from Enigmail without having a properly, fully implemented support, including for smartcards, or at least for working with GPG, was utterly misguided, IMO, and broke the once nice client.

I enabled gpg usage and fetching in Settings, I imported my pubkeys to Thunderbird's PGP manager, then added my external key (with GPG). Everything looks fine. But when I click an encrypted message, I get "The secret key that is required to decrypt this message is not avaliable". Nah, it's available and it's there! The pinentry isn't appearing at all and this is the result. I believe this is TB's fault, as the pinentry correctly appears with everything else I do, also with TB 68 + Enigmail. The setup is the same. I am using the latest Gpg4win.

Settings:

mail.openpgp.allow_external_gnupg - true mail.openpgp.fetch_pubkeys_from_gnupg - true mail.openpgp.alternative_gpg_path - has no effect whether set or not

gpg-agent.conf:

enable-win32-openssh-support default-cache-ttl-ssh 900 max-cache-ttl-ssh 1800 no-allow-external-cache default-cache-ttl 300 max-cache-ttl 3000 ignore-cache-for-signing allow-loopback-pinentry

gpg.conf:

utf8-strings auto-key-locate local use-agent

FYI, adding "pinentry-program" has no effect on solving the problem, whether set or not.

Your suggestions are welcome!

Thunderbird Filelink uses end-to-end encryption and files are only encrypted/decrypted locally but unless the code running on your system is reviewed and validated you don't really know what it does. I would think that every time recipients click on the link and use the web interface to download a file, their browser is sent a script that does the decoding. Similarly, if you use the web interface of a Send instance to send a file, your browser is sent a script for encoding.

If the above is correct, how do we know these scripts are always the open source scripts that have been independently validated? Isn't it conceivable that a Send instance may send you a customized script for encryption/decryption that compromises encryption? This could be done with selected targets to avoid attracting attention too.

I am trying to export multiple messages that were sent to me encrypted with my pgp key as .eml files that contain the unencrypted message without needing to be decrypted. When using the default save function and ImportExportToolsNG on both server messages and locally stored messages, the .eml files exported just contain the encrypted pgp message block. Is this possible or will I have to manually decrypt each message?

Hello

I just recently purchased a new SSL certificate for our domain from bluehost. Now I get the following error message from Thunderbird.

Configuration not trusted. We received the configuration for your email over a connection that isn't as secure as we'd like. This means there is a tiny chance that someone could have altered it. Double check provided configuration.

I entered my server dashboard and compared the manual email settings and the settings match exactly.

I have paused anti-virus software on both my mobile and laptop and have uninstalled and reinstalled Thunderbird but nothing helped. Contacted Bluehost all is working fine. I can access my email from other clients but not from Thunderbird.

Any thoughts thanks

Gary K.

In my work account on a Microsoft Exchange server, we have public keys for all users in LDAP. Sometimes an encrypted email message from a known user fails to decrypt, instead showing a panel with no menu: "Thunderbird cannot decrypt this message". Errors are sporadic: for a few senders, all messages fail to decrypt on my Thunderbird, while for a few other senders, all messages successfully decrypt. For most senders, it seems to randomly depend on the particular message. In one odd case, a chain of replies can be successfully decrypted up to a point, and from there on, all replies fail to decrypt for me. We've looked into all the settings, and we've tried variations where someone sends me an encrypted message without signature, then another with encryption and signature. Nothing seems to consistently cause or avoid the error, it just seems to happen randomly.

Can someone recommend a way to diagnose the problem, for example debug logs?

It would also be helpful to try manually decrypting the raw received message using openssl. Is it possible to find it somewhere in the `~/.thunderbird/` area?

I received 2 notifications stating that 1) The certificate for imap.gmail.com does not come from a Trusted Source and 2) You are about to override how Thunderbird Identifies this site. Legitimate banks, stores and other public sites will not ask you to do this. This site attempts to identify itself with invalid information. The certificate is not trusted because it hasn't been verified as issued by a trusted authority using a secure Signature. I have been with Thunderbird for around 20 years and have contributed to it twice, so please help me!

On my Linux machine, I exported the public key for an email address in Thunderbird 140.8.0esr (64-bit) into a file. I transferred the file to my Windows 11 machine via Warpinator.

On the Windows machine I am running Thunderbird 148.0.1 (64-bit). In Account settings>End-to-End encryption, I click Add Key>Import an existing OpenPGP key>Select File to import, and then I select the file.

I get an error message: Error! Failed to import file.

I'm surprised. I would think that going from one installation of Thunderbird to another would work this way. I am concerned that I won't be able to read incoming encrypted emails without the key working.

Can someone help me?

I receive a lot of Thunderbird messages with this text (in French) :

"Le certificat pour imap.gmail.com ne provient pas d’une source sûre."

What I have to do please Thnx

I have problems every time I try to fetch my imap gmail, with Thunderbird complaining that: "The certificate for imap.gmail.com:993 does not come from a trusted source".

As near as I can tell, imap.gmail.com:993 is still the recommended setting for

Version is Thunderbird 148.0.1 (64-bit). Adding an exception for the missing certificate does not seem to make a bit of difference.

I do not know if the use of Bitdefender as my security and vpn software is a factor. I notice that the certificate (exception certificate?) shown when I click on View Certificate in my gmail account settings appears to mention Bitdefender, so perhaps that's a factor. That certificate looks as follows:

Certificate Subject Name Common Name imap.gmail.com Issuer Name Country US Organizational Unit IDS Organization Bitdefender Common Name Untrusted Bitdefender CA Validity Not Before Mon, 02 Feb 2026 08:37:57 GMT Not After Mon, 27 Apr 2026 08:37:56 GMT Subject Alt Names DNS Name imap.gmail.com Public Key Info Algorithm Elliptic Curve Key Size 256 Public Value 04:2D:20:DA:19:33:1D:AC:28:91:52:02:EB:B8:7E:33:C0:B7:E4:F3:5E:4E:88:92:E5:7E:BB:30:0C:6C:E4:84:A8:3D:D7:49:9B:22:C8:C0:BB:01:80:4B:84:30:3A:3B:73:70:8F:AB:EB:C0:F0:D5:7B:8B:0B:64:1B:DC:76:67:41 Miscellaneous Serial Number 1A:50:ED:15:50:A1:A7:93:5D:05:8A:CD:85:A5:15:FD Signature Algorithm ECDSA with SHA-256 Version 3 Download PEM (cert)PEM (chain) Fingerprints SHA-256 12:8A:58:44:DF:B5:E1:E4:EF:CC:F7:35:09:BA:6E:88:86:16:15:78:F9:28:52:23:FC:0E:E9:69:D1:AF:21:86 SHA-1 A3:30:CB:65:39:51:46:9B:3B:BC:0B:B9:09:DD:26:40:A8:52:25:3D

J'ai déjà un mail gmx , "andre.et@gmx.fr" est-ce cette adresse qui est crypter ?

Ou est ce une nouvelle adresse ? Chez Mozilla

Merci de m'éclairer André