Форум спільноти Усі продукти

Microsoft Outlook Client emails are legally valid in a court of law, but Thunderbird emails are not. Can we start taking baby steps towards making Thunderbird emails a little more viable in legal applications?

While I do not understand these things in the depth required, can we start taking baby steps towards achieving legal validity of emails downloaded from Thunderbird?

I am presenting below a conversation that I had with chat GPT regarding this matter for the help of anyone who wishes to take this up.

Chat GPT:

QUESTION 1: 1. As per my limited knowledge, Outlook client emails are legally valid because the header cannot be edited. This however, is not true of Thunderbird emails. Do I understand correctly? 2. What are the challenges in making Thunderbird header not user editable, so that Thunderbird emails also have the same benefit?

Chat GPT: Your question touches on email authenticity and legal validity—especially in regulated or evidence-sensitive contexts. Let's break it down:

Is it true that Outlook headers are immutable and Thunderbird’s are not?

Partially True — but needs clarification.

Email headers in both Outlook and Thunderbird

Can be viewed by recipients, but cannot be edited after the email has been sent. Only during composition can certain headers (like `From`, `Reply-To`) be changed, depending on the setup.

What you cannot change post-sending:

After an email is sent (from any client), the core SMTP headers (`Date`, `From`, `Message-ID`, etc.) are locked. These are generated by the sending server and cryptographically traceable via server logs or DKIM.

Outlook’s extra layer:

Outlook integrates closely with Microsoft Exchange, which stores server-side logs, message tracking, and non-editable audit trails (e.g., via journaling). That’s what gives Outlook/Exchange emails more evidentiary credibility, not just the client itself. In contrast, Thunderbird usually connects via standard IMAP/SMTP, without server-side logging, unless used with a corporate mail server like Postfix + Dovecot + journaling.

In Summary: Table Feature Outlook (w/ Exchange) Thunderbird Headers editable during composition Yes (some fields) Yes (same) Headers editable after sending No No Built-in server-side logging Yes (Exchange) No (unless configured) Strong evidentiary trail Common in enterprise Requires external setup

What are the challenges in making Thunderbird headers non-editable during composition?

The challenge lies not in technical impossibility, but in the design philosophy of Thunderbird:

a. Open Source & User Control

Thunderbird is open source, so users can customize or even extend the client to manipulate headers (via extensions or config changes). This is powerful for advanced users, but not ideal in regulated or high-trust environments.

b. Lack of Server-Side Enforcement

Thunderbird relies on whatever SMTP/IMAP servers it connects to. Unless the server enforces policies (like DKIM signing, DMARC, or header filtering), client settings are only soft limits.

c. Missing Native Audit Features

Outlook/Exchange logs metadata like when a message was sent, delivered, read, etc. Thunderbird lacks that unless paired with enterprise-grade backends. How Could Thunderbird Improve Legal Trustworthiness?

1. Header Locking During Composition

  	Disable or grey out fields like `From`, `Date`, `Message-ID`.
  	Possible via extension, but not enforced by default.

2. Enforced Server-Side Signing (e.g., DKIM)

  	Ensure outgoing mail is cryptographically signed to verify integrity.
  	Requires a properly configured mail server, not just Thunderbird.

3. Journaling or BCC Archiving

  	Auto-BCC all sent mail to a tamper-proof archival system.
  	Thunderbird can do this via rules or server configuration.

4. Extension or Mode for “Forensic Compliance”

  	Custom Thunderbird modes that restrict editing headers, disable extensions, log actions, etc.

Final Thoughts

You're correct in understanding that Thunderbird offers less baked-in legal reliability than Outlook + Exchange. But this isn’t due to insecure design—rather, it's due to Thunderbird’s flexibility and lack of tight server integration. Thunderbird can be made trustworthy with the right server configuration (DKIM, archiving) and possibly some custom add-ons.

If you’re looking to build or propose a “forensic-grade” Thunderbird environment, I can help design one with proper technical constraints and audit trails. Let me know!

QUESTION 2: My legal Counsel has told me that emails downloaded from the Gmail server into the outlook client are legally valid. So even without Microsoft Exchange and all the other server side logging, Outlook emails are legally viable. Chat GPT

Yes — your legal counsel is broadly correct, and here’s the nuanced explanation:

Emails Downloaded via Outlook (from Gmail) Can Be Legally Valid

Even without Microsoft Exchange, emails downloaded into Outlook (say via IMAP or POP from Gmail) can still be legally viable evidence, because:

1. Outlook stores email in a tamper-evident format

Outlook saves emails in `.pst` or `.ost` files. These files have a structured, proprietary binary format that is hard to tamper with without detection. Courts often accept these files (with chain of custody) as original records.

2. Outlook preserves server headers

Even when connected to Gmail, Outlook does not modify or fake headers. It shows server-signed headers (like `Message-ID`, `Date`, etc.) exactly as received. These headers can be verified independently against:

Gmail’s “Show Original” → raw headers DKIM/DMARC authentication

3. Integrity from Gmail itself

Gmail assigns unique `Message-ID`s and signs outgoing mail with DKIM. DKIM proves the message has not been tampered with since it left Google’s servers. So even if Outlook is the client, the source of trust is Gmail + DKIM, not just the software.

In Legal Contexts

4. What courts typically require is:

 A copy of the original message as received (headers intact)
 Some form of chain of custody (who had access, how was it stored)
 Optionally, confirmation from the mail server logs (if challenged)
 Outlook is often used in corporate/legal environments because:

It does not let users easily forge full headers The data format is harder to manipulate Legal teams and forensic experts are familiar with `.pst` files

So even without Exchange, emails received and stored in Outlook are trusted, provided:

The full headers are intact The `.pst` or `.ost` file has not been tampered with

5. How This Differs from Thunderbird

Thunderbird also preserves headers and stores messages locally — but: Table: Aspect Outlook Thunderbird Storage format `.pst`/`.ost` (proprietary) `.mbox` or plain text Header immutability Enforced by format Editable via text file (with effort) Forensic familiarity High (in legal circles) Moderate Tamper-evidence Strong (binary format) Weak (editable with text editors)

So Thunderbird messages can technically be altered more easily after download, especially if stored in `.mbox` or `.eml` formats. That’s why they are viewed with more caution in legal settings.

Conclusion

Yes — emails downloaded into Outlook, even from Gmail, are generally accepted as legally valid, provided the headers are intact and the file has not been manipulated. Outlook's storage format and market reputation contribute to its legal trustworthiness — even without Exchange.

If you want to achieve similar legal credibility with Thunderbird, the focus should be on:

Enforcing DKIM-signing (from Gmail, already done) Locking down `.eml` or `.mbox` file access Possibly archiving in tamper-evident formats

Let me know if you’d like a workflow to export Thunderbird emails into a legally robust format similar to `.pst`.

Hi guys,

I connected my private crypto wallet to a fraudulent OKX scammer wallet extension, downloaded from your Firefox store couple of weeks ago. I deleted the wallet after I realized it's a scam but the scammers already drained my entire wallet afterwards, I lost approx. 14,000 USD.

I saw this warning too late: https://t.co/wSQv696SvM

Do you guys have any idea, where I can report this case or what I can do? I mean, I am quite sure that I am not the only one affected by this scam.

Thanks Marc

Hello,

I have not found an answer to my question anywhere, nor can I solve the problem I have encountered on my own. The thing is that when I log into my YouTube account and then close the browser, turn off the tablet, after restarting I have to go through the process of logging in to my YouTube account again. I think the browser is great. I am talking about the Firefox Focus browser. This problem does not occur on Firefox, but for my old hardware it is too slow.

Arek

I have all options enabled to save addresses and credit cards.

When I try to manually add a credit card, hitting the Save button does nothing.

When I use a credit card on a site, Firefox prompts me to save the card, I confirm that I want to save it, yet it isn't saved.

The page https://support.mozilla.org/en-US/kb/ai-chatbot lacks the list of data shared with the chatbot AI providers. It would be nice to know how it is done, how to review the data, and how pages can provide better data.

Dear Team,

When my Client device installs From Firefox 102.7.0 ESR to Firefox 128.7.0 from SCCM. (The case is First install the Version 102.7.0 then save the Bookmarks and then uninstall. Second Install the 128.7.0 then check the bookmarks)

user profile Bookmarks are not mapped in Firefox. When I check C:\Users\Tests\AppData\Roaming\Mozilla\Firefox\Profiles I can see the xxxx.defaultesr

I don't understand why the bookmarks are not linked in Firefox. Can you please help? I would be thankful to you if you could share me the .bat script

Thank you

Trying to use Thunderbird after break of some years and want to use Proton Mail. Every time I try to set it up I get message 'the certificate 127.0.0.1does not come from trusted source'. Previous experience of Thunderbird was that there were frequent issues like this arising.

I have been using Thunderbird forr many years and earthlink is my server. After doing many emails this morning Thunderbird stopped sending emails and showed a Security Certificate alert problem for smtpauth.earthlink.net:587 that i had nor seen before. I tried to over ride but could not. I can still receive emails. dan_doherty@earthlink.net

I've been using Thunderbird for my earthlink.net accounts for years. Now I'm getting an Error that "Peer's Certificate issuer is not recognized. My earthlink.net settings have not changed. Help.

Hello Hello sometimes websites redirect away from the requierd adress to something wrong.

Samples: https://www.writelatex.com/read/sjchktdtqwcm This redirects to https://www.overleaf.com/

https://plus.google.com/u/0/110765980098077923527/posts/JpSZhceCDXE this redirects to https://workspaceupdates.googleblog.com/2023/04/new-community-features-for-google-chat-and-an-update-currents%20.html

How can i force such sites to stay at the link-address ans open that properly instead of even trying to redirect?

Best regards Maxi

Subject: OCSP Must-Staple Behavior Observations in Firefox (Including iOS Platform)

Dear Firefox Team,

We have been conducting tests involving certificates with the OCSP Must-Staple extension and would like to share several observations regarding Firefox’s behavior across different platforms:

General Compliance with Must-Staple: On most platforms, Firefox correctly enforces the Must-Staple extension. That is, if a certificate includes the Must-Staple flag and the web server fails to provide a stapled OCSP response, the connection is appropriately terminated.

Unexpected Behavior on iOS: However, we have observed that Firefox on iOS does not appear to enforce this requirement consistently. Even when the server does not provide a stapled OCSP response, the browser still establishes the TLS connection. We are unsure whether this is due to platform limitations or an implementation inconsistency.

Redundant OCSP Requests Despite Stapling: Additionally, we found that Firefox still initiates an OCSP request even when a valid stapled response has already been provided by the server. This behavior not only degrades performance but may also introduce privacy concerns, it contrary to the original privacy and efficiency goals of OCSP Stapling.

Looking for a way to configure the "Share the screen" permission present in permissions for individual sites via GPO. I am aware of this doc but I can't find anything for setting this permission. Specifically, to block it for all sites with an explicit allow list.

The "Preferences" option won't suffice as permissions are stored in permissions.sqllite and are not part of the about:config preferences. The "Permissions" grouping lacks... the majority of the possible site permissions as well.

At home we have a shared computer with Ubuntu and Firefox as main browser. Each family member has its own Linux user.

We use the functionality of Firefox saving passwords, however we've noticed that these passwords are visible between the Linux users. So, for instance if two of us use the same website, somehow our user/pass get are visible to each other. Is this behavior expected? How can we set FF to make the user/pass visible only to the Linux user who is using it?

Cheers