Thunderbird Community Forum

When i try to update my schooles secure mail, i get the nev certifikat and the Root, and Ca1 under autoreties and give it the right rights but it keeps giving me this error message " Certificate verification failed with the following error: The peer's certificate issuer is unknown. (Error code: SEC_ERROR_UNKNOWN_ISSUER)"

I recently obtained a digital certificate for use with S/MIME. I followed the process laid out in

https://support.mozilla.org/en-US/kb/instructions-smime-certificate-using-csr

to generate my key pair, create a CSR, submit it to a CA, download the resulting certificate file, and import it into Thunderbird. I also imported the intermediate certificate showed as the issuer for my cert, which in turn appears to be signed by one of the certs trusted by default in Thunderbird.

Having done that, I see the certificate showing up under "your certificates" in the Certificate Manager, with a "not before" date in the past and a "not after" date in the future. So everything appears to look correct, but when I try to send a signed email I get the following error message as a pop-up:

"Sending of the message failed. You specified that this message should be digitally signed, but the application either failed to find the signing certificate specified in your Mail & Newsgroup Account Settings, or the certificate has expired."

And if I look at the console in developer tools I see:

"mailnews.send: NS_ERROR_FAILURE: Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIMsgComposeSecure.beginCryptoEncapsulation]

   _startCryptoEncapsulation resource:///modules/MimeMessage.sys.mjs:488
   _writePart resource:///modules/MimeMessage.sys.mjs:536
   createMessageFile resource:///modules/MimeMessage.sys.mjs:82
   createAndSendMessage resource:///modules/MessageSend.sys.mjs:147
   CompleteGenericSendMessage chrome://messenger/content/messengercompose/MsgComposeCommands.js:6456
   GenericSendMessage chrome://messenger/content/messengercompose/MsgComposeCommands.js:6372
   SendMessage chrome://messenger/content/messengercompose/MsgComposeCommands.js:6984
   doCommand chrome://messenger/content/messengercompose/MsgComposeCommands.js:1085
   doCommand chrome://messenger/content/messengercompose/MsgComposeCommands.js:1263
   goDoCommand chrome://messenger/content/globalOverlay.js:99
   oncommand chrome://messenger/content/messengercompose/messengercompose.xhtml:1
   openWindowPrompt resource:///actors/PromptParent.sys.mjs:75
   receiveMessage resource:///actors/PromptParent.sys.mjs:18
   openPrompt resource://gre/modules/Prompter.sys.mjs:1228
   openPromptSync resource://gre/modules/Prompter.sys.mjs:1071
   alert resource://gre/modules/Prompter.sys.mjs:1375
   alert resource://gre/modules/Prompter.sys.mjs:78
   fail resource:///modules/MessageSend.sys.mjs:358
   createAndSendMessage resource:///modules/MessageSend.sys.mjs:157

MessageSend.sys.mjs:149:32

   createAndSendMessage resource:///modules/MessageSend.sys.mjs:149
   CompleteGenericSendMessage chrome://messenger/content/messengercompose/MsgComposeCommands.js:6456
   GenericSendMessage chrome://messenger/content/messengercompose/MsgComposeCommands.js:6372
   SendMessage chrome://messenger/content/messengercompose/MsgComposeCommands.js:6984
   doCommand chrome://messenger/content/messengercompose/MsgComposeCommands.js:1085
   doCommand chrome://messenger/content/messengercompose/MsgComposeCommands.js:1263
   goDoCommand chrome://messenger/content/globalOverlay.js:99
   oncommand chrome://messenger/content/messengercompose/messengercompose.xhtml:1
   openWindowPrompt resource:///actors/PromptParent.sys.mjs:75
   receiveMessage resource:///actors/PromptParent.sys.mjs:18
   openPrompt resource://gre/modules/Prompter.sys.mjs:1228
   openPromptSync resource://gre/modules/Prompter.sys.mjs:1071
   alert resource://gre/modules/Prompter.sys.mjs:1375
   alert resource://gre/modules/Prompter.sys.mjs:78
   fail resource:///modules/MessageSend.sys.mjs:358
   createAndSendMessage resource:///modules/MessageSend.sys.mjs:157"

I can't make sense of the error message, since the certificate appears under "your certificates" in the certificate manager, and it does not appear to be expired. Can anyone suggest how to determine the root cause and fix it? Does it matter that the certificate is for a non-default identify I've added for the account in Thunderbird? Does it matter if the "common name" in the certificate doesn't match the "Your Name" field in Thunderbird? Any pointers on what to check would be appreciated.

Receiving emails was no problem, but when sending one I was repeatedly asked for my password. I did check the save password in the dialog box. I checked the account settings and saw a yellow alert next to certificate exception and clicked on remove. That apparently was a mistake because now I can't get into email since the security certificate is not valid. Reinstalling Thunderbird may be needed, but I need some advice before I try anything else.

I've been trying to set up a GPG key, but Thunderbird doesn't recognize my pub.asc file. So I created a PGP key thru Thunderbird and I would like to export it as ASCII-armored public key.

OS: GNU/Linux Thunderbird Desktop

Is it possible to set up a TLS client certificate for authentication with SMTP, as it is with IMAP?

It works fine on the K-9 Android client for both IMAP and SMTP.

Is there a reason why this hasn't yet been added as an authentication method for SMTP?

Thank you!

Best Regards

Every time I log in and then every so often afterwards I get the pop up - you are about to override how Thunderbird identifies this site- for a now deleted mail.co.uk account. I have tried all the fixes suggested by Google but it still keeps happening and is driving me mad. It tells me the certificate is outdated or invalid and asks to confirm to permanently store the exception but just keeps coming back every time I click on confirm, it only goes away if I click cancel but then keeps coming abck.

Server Posteingang IMAP (empfohlen) imap.vodafonemail.de Ports für Posteingang IMAP SSL: 993 / TLS: 143

Server Postausgang SMTP smtp.vodafonemail.de Ports für Postausgang SSL: 465 / TLS: 25 oder 587

I have tried using s/mime encrytpion for the first time. I have created 3 different accounts using the same CA on 3 different devices. All three can communicate with each other using the s/mine encryption. I used multiple methods - sending a signed email first and then encrypted+signed, creating a .pem file with public key - importing it in Manage certificates/people and sending an encrypted+signed email. Sending an encrypted email from-to the same address also works. What I can't seem to be able to do is use any other public keys. I have a list of companies and their keys, but whether I use a file downloaded from their site or copy the key to txt and then make a .pem file out of it, as I did with my addresses, I can't send an email that is both encrypted and signed. I get "end-to-end encryption requires resolving certificate issues for ..." and the recipient status "not found". They specifically don't want to send a signature first and then encrypted+signed, and I am stuck trying to figure out what I am doing wrong. Any help is greatly appreciated.

When adding a new email account, the built-in web browser launches and displays the OAuth screen. To verify the security of the destination site, I want to click the green lock icon in the URL bar to check the details, but I can’t click it.

Does a green lock icon mean a secure connection has been established?

Every time I launch Thunderbird Beta 151.0b1 on Arch Linux, I immediately get a notification saying "The certificate for imap.gmail.com does not come from a trusted source." If I click through to the exception dialog, it shows "No Information Available / Unable to obtain identification status for this site" — it can't even fetch the certificate to show me what's wrong with it. The error only appears on launch and doesn't come back. Mail sends and receives fine.

From the terminal, openssl connects to imap.gmail.com:993 without any issue (Verify return code: 0, TLS 1.3, X25519MLKEM768). No antivirus, no VPN, no TLS-intercepting software. NSS 3.123.

Has anyone else seen this? Is this a known Beta issue?

Dear all,

When receiving signed AND encrypted mails from an Outlook-account I get the exclamation sign for the signature.

The message is (German) : "Digitale Signatur ist ungültig Diese Nachricht enthält eine digitale Signatur, die aber ungültig ist. Die Nachricht wurde mit einer Verschlüsselungsstärke signiert, die von dieser Version Ihrer Software nicht unterstützt wird. Signiert von...."

I already did all standard checks (trusted, new hash algorithm and so on),

Now I would like to know the EXACT reason why Thunderbird is not accepting the digital signature. How can I accomplish this?

THX in advance and best regards!

2026-04-25 SAT 14:45 BST I have boujht a DigiCert S/MIME Class 1 certificate from thesslstore, but I have not yet got it. They sent me 3 .crt files, but I have not understood how to use them. I hope someone can explain the problem and/or suggest what I can do about it please ? I do not remember having this sort of problem in previous years.

Am receiving a message reading-

The certificate for imap.gmail.com does not come from a trusted source.

Dzień dobry, podczas tworzenia wiadomości i próbie zapisania jej na później, otrzymuję komunikat:

Ostrzeżenie Błąd podczas zapisywania szkicu - W Twojej bazie kluczy nie można odnaleźć identyfikatora klucza „0xD3ADE4868E262032”.

Nie potrafię tego naprawić. System iOS na Mac.

Proszę o wsparcie.

Pozdrawiam

Why do I suddenly (from one day to another) receive the message: "Das Zertifikat für imap.gmail.com stammt nicht von einer vertrauenswürdigen Quelle."

when trying to downlowd messages from Gmail?

I have not changed anything at all.

Hello,

I am writing this message in regards to Thunderbird's GPG support after v68, in the last hope that someone suggests a solution that moves me away from version 68. I consider the current state broken.

My PGP keys reside on a Yubikey, but smartcard usage has been broken after v68, as none of the supposedly correct setups work. It should work pretty much out of the box, but it doesn't. The whole idea of moving away from Enigmail without having a properly, fully implemented support, including for smartcards, or at least for working with GPG, was utterly misguided, IMO, and broke the once nice client.

I enabled gpg usage and fetching in Settings, I imported my pubkeys to Thunderbird's PGP manager, then added my external key (with GPG). Everything looks fine. But when I click an encrypted message, I get "The secret key that is required to decrypt this message is not avaliable". Nah, it's available and it's there! The pinentry isn't appearing at all and this is the result. I believe this is TB's fault, as the pinentry correctly appears with everything else I do, also with TB 68 + Enigmail. The setup is the same. I am using the latest Gpg4win.

Settings:

mail.openpgp.allow_external_gnupg - true mail.openpgp.fetch_pubkeys_from_gnupg - true mail.openpgp.alternative_gpg_path - has no effect whether set or not

gpg-agent.conf:

enable-win32-openssh-support default-cache-ttl-ssh 900 max-cache-ttl-ssh 1800 no-allow-external-cache default-cache-ttl 300 max-cache-ttl 3000 ignore-cache-for-signing allow-loopback-pinentry

gpg.conf:

utf8-strings auto-key-locate local use-agent

FYI, adding "pinentry-program" has no effect on solving the problem, whether set or not.

Your suggestions are welcome!

Thunderbird Filelink uses end-to-end encryption and files are only encrypted/decrypted locally but unless the code running on your system is reviewed and validated you don't really know what it does. I would think that every time recipients click on the link and use the web interface to download a file, their browser is sent a script that does the decoding. Similarly, if you use the web interface of a Send instance to send a file, your browser is sent a script for encoding.

If the above is correct, how do we know these scripts are always the open source scripts that have been independently validated? Isn't it conceivable that a Send instance may send you a customized script for encryption/decryption that compromises encryption? This could be done with selected targets to avoid attracting attention too.