Yonke imikhiqizo Community Forum

DEUTSCH (English see below):

Hallo zudammen,

Konfiguration: - Window11 25H2 (aktuell) - Thunderbird Beta-6 (BuildID=20260213180051) - gpg2.5.17 (Gpg4Win 5.0.1); siehe auch: <https://www.gpg4win.de/>

Der bisherige und standarmärige Installationspfad von "Gpg4Win": "C:\Progam Diles (x86)\Gpg4Win\" wurde softwareseitig auf: "C:\Progam Diles\Gpg4Win\" geändert!

Bug 1967121 (Closed) => thunderbird148 --- fixed! <https://bugzilla.mozilla.org/show_bug.cgi?id=1967121>

Zur Zeit verfolge ich die Änderungen bezüglich der externen Schlüsselverwaltung in Thunderbird-Beta, da das Arbeiten mit externen Schlüsseln in der esr- und in der relesease-Version von Thunderbird seit der offiziellen Herausgabe von gpg2.5.x absolut nicht mehr möglich ist! Die geheimen Schlüssel für das Entschlüsseln und Signieren werden mit gpg2.5.x nicht mehr gefunden!

In der Schlüsselverwaltung von TB-Beta befinden sich meine öffentlichen Schlüssel und alle öffentlichen Schlüssel meiner Kommunikationspartner. Extern sind meine geheimen Schlüssel gelagert. Folgende Präferenz wurde aufgrund von gpg2.5.x hinzugefügt:

https://assets-prod.sumo.prod.webservices.mozgcp.net/media/uploads/images/2026-02-25-14-35-46-df59be.png

Allerdings erscheint nach all diesen Maßnahmen die Fehlermeldung: "The secret key that's required to decrypt this message is not availlable."

https://assets-prod.sumo.prod.webservices.mozgcp.net/media/uploads/images/2026-02-25-14-36-58-d8280e.png

Mit Herausgabe von Thunderbird/148.0 (release) sind dort die gleichen Probleme mit der externen Schlüsselverwaltung zu bepbachten!

Mit Versionen gpg < 2.5 funktioniert unter Windows alles problemlos!

UNTER LINUX haben hier Änderungen an der Präferenz: "mail.openpgp.load_untested_gpgme_version" nachweislich keinerlei Auswirkungen!

Was übersehe ich?

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

ENGLISH:

Hello,

Configuration: - Window11 25H2 (current status) - Thunderbird Beta-6 (BuildID=20260213180051) - gpg2.5.17 (Gpg4Win 5.0.1); see also: <https://www.gpg4win.de/>

The previous and default installation path of "Gpg4Win": "C:\Program Files (x86)\Gpg4Win\" has been changed by the software to: "C:\Program Files\Gpg4Win\"!

Bug 1967121 (Closed) => thunderbird148 --- fixed! <https://bugzilla.mozilla.org/show_bug.cgi?id=1967121>

At the moment, I’m following the changes regarding external key management in Thunderbird Beta, because working with external keys in the ESR and release versions of Thunderbird has become absolutely impossible since the official release of gpg 2.5.x! The secret keys required for decryption and signing are no longer found when using gpg 2.5.x!

In Thunderbird Beta’s key manager, my public keys and all public keys of my communication partners are present. My secret keys are stored externally. The following preference was added because of gpg 2.5.x:

https://assets-prod.sumo.prod.webservices.mozgcp.net/media/uploads/images/2026-02-25-14-35-46-df59be.png

However, even after all these measures, the following error message appears: **"The secret key that's required to decrypt this message is not available."**

https://assets-prod.sumo.prod.webservices.mozgcp.net/media/uploads/images/2026-02-25-14-36-58-d8280e.png

With the release of Thunderbird 148.0 (release), the same problems with external key management can be observed there as well!

With gpg versions **older than 2.5**, everything works flawlessly under Windows!

• • UNDER LINUX**, changes to the preference

"mail.openpgp.load_untested_gpgme_version" have demonstrably no effect at all!

What am I missing?

Hello,

I am moving over to Thunderbird from outlook. I have about 8 emails with two domains. First email works okay. The second one on the same domain has turned red on the left panel and thunderbird keeps poppoing up the certificate for mail.xxx.com is not valid for the server. The other works I added the exception when setting it up. The mail server is another domain used from my cpanel hosting provider. So it does not match the domain of the emails.

I can't seem to find a way around this to get it to work. Also I under account settings it looks correct. I am thinking this error message is the incoming mail server? I don't see under account setting anything for incoming mail server which on my hosting is the same for incoming and outgoing. Appreciate any help.

Thank you!

After I did the 128.5.2esr update, none of my email accounts can get email with SSL/TLS on. It won't even try the server with SSL/TLS on. If I turn it off, then it can get mail. When I try to change to STARTTLS it will just hang showing checking server capabilities. Some accounts are imap and some POP3

Running Windows 10, version 22H2 updated 12/10/2024 OS Builds 19044.5247 and 19045.5247

Gmail works fine. I've tried the just about all of the things I have found online, but no luck.

Any suggestions? In the past I rolled back to a working version and that fixed it, but it hasn't worked this time. Would removing all of the certificates fix it? Didn't want to take that chance until I threw it out out here!

Thank you!

I have an email account with multiple identities (aliases), some of which I would like to add under the same OpenPGP key that I'm using for the main identity. I couldn't find any option in the OpenPGP Key Manager in Thunderbird which would allow me to add identities to the key. How should I go about doing this?

I have Thunderbird 128.5.2esr and my email SMIME certificates are not assigned correctly when I send them to GMX. What can I do, are there bugs? 1) Select Cert Screencopy of SELECTION 2) err msg: Err-MSG at sending

Hello everyone,

I am using Firefox latest release (eg 145.0.1).

At https://developers.cloudflare.com/ssl/post-quantum-cryptography/pqc-support/ , it seems that X25519MLKEM768 is supported since Firefox 132. Do you confirm ?

I ask this question because when I am connecting to https://pq.cloudflareresearch.com/ and activate the network tab before reaching this URL, and looked at the security tab on the right bottom panel, as you can see in the screenshot attached, in the Exchange group keys, I see x25519 and not x25519mlkem768 meaning that Firefox is not PQC ready for key establishment :-(

Best Regards.

I have 2 emails provided by my ISP (knology), I have received no emails since 7:30 on 12/5, the are on the webmail site. The other 2 emails are gmail accounts they are working fine. I am getting a message, "The certificate for imap.knology.net is not valid for that server. Someone could be impersonating the server, you should not continue."

 The fact that the gmails work and knology does not work is a clue but I don't know what it means.

I have contacted my ISP and after 45 minutes they gave up and said they will escalate and get back to me,

with in a couple days! it was on a Saturday.
                                                         Thank you, Mike

Hello,

I have read this one https://support.mozilla.org/en-US/kb/openpgp-thunderbird-android-howto and I was aiming for additional detailed info on a specific step in the "Select an encryption key or create a new key" section.

From Thunderbird Desktop I can already send/receive encrypted emails from a specific email account and I have exported, on my laptop, my private and public keys as well as the public keys of some contacts.

On my Android phone I have Thunderbird for Android (version 14) already set up for the same email account and, in order to start using email encryption, I understood from the above link that I first need to install OpenKeychain and then, from the image in step 2 of "Select an encryption key or create a new key" and from the text of the subsequent step 3, that I'll need to choose "I already have a key. Import end-to-end key from other device" and then, if I got it right, try to find the keys which I exported on my laptop from Thunderbird Desktop.

Are there any precise details on how to find those exported keys and load them into OpenKeychain? Meaning, for instance, do I need to copy/paste the keys from my laptop into the archive of my Android phone and then direct Thunderbird/OpenKeychain to that location to pick them up?

Any type of details/links/docs/videos with respect to this, will be useful. As well as any explanations in case I understood wrongly and what I am trying to do is not the proper way to proceed.

Please note: I am not an expert.

Thank you

Best Regards

I generated a CSR file via the instructions at https://support.mozilla.org/en-US/kb/instructions-smime-certificate-using-csr#thunderbird:linux:tb145 . After submitting and receiving a certificate from a CA, importing it the People tab of the Certificate Manager does not do anything: nothing new appears in the Your Certificates tab.

Where are the private keys associated to the generated CSRs stored? How can I access them to resolve this?

Running 140.5.0esr via flatpak on Fedora 43 Kinoite.

I regularly send/receive encrypted email on Windows with Outlook but seeing as most of my work is done on my Ubuntu partition, I was interested in a Linux solution. I was able to connect to my exchange server using owl automagically and see my email, no problem. I had some experience getting smart-card readers working on Ubuntu so I already had some things in place using the OpenSC Security Device. TB was able to talk to my card reader, grab the certificates, and I was able to set my S/MIME digital signing and encryption certificates. It definitely works, I can decrypt messages that I had already received in the way I expect, it checks if I have a card inserted, asks for me PIN, and the message decrypts correctly as I would expect. The issue is that if I try to send a signed email to myself, I get the error, "Sending of the message failed. You specified that this message should be digitally signed, but the application either failed to find the signing certificate specified in your Mail & Newsgroup Account Settings, or the certificate has expired." A similar message is sent if I try to encrypt (but not sign) a message to myself but for the encryption certificate.

I don't understand this message, as TB can definitely see my card, ask my card for my private key, and use it to decrypt messages, so I believe my E2E settings are correct. Neither certificate is expired, both expire sometime in 2027. I even added my companies root certificate to my Certificate Authorities in TB, so I don't believe it's an issue with my certificate being deemed invalid, and the error message certainly doesn't suggest as much. I've also tried both of my card-readers in case something was only looking at the first one, but both can be signed into correctly but neither let me send signed/encrypted email. The only clues I can see are the console error in my terminal when the message fails to send...

console.error: mailnews.send: "Sending failed; , exitCode=2147500037, originalMsgURI="

Also when I open a remote debugging session, this is the error shown...

mailnews.send: NS_ERROR_FAILURE: Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIMsgComposeSecure.beginCryptoEncapsulation]

   _startCryptoEncapsulation resource:///modules/MimeMessage.jsm:510
   _writePart resource:///modules/MimeMessage.jsm:558

Does anyone know what I might be doing wrong and nudge me in the correct direction?

Add Security Exception? I can't send any outgoing email messages. I now get a warning alert after hitting Send entitled "Add Security Exception". It says further, "You are about to override how Thunderbird identifies this site." And, "Legitimate banks, stores and other public sites will not ask you to do this." My email provider is Earthlink and the alert identifies the server location as, "smtpauth.earthlink.net:587" and says, "This site attempts to identify itself with invalid information. Unknown Identity. The certificate is not trusted because it hasn't been verified as issued by a trusted authority using a secure signature."

That only available options are, "Confirm Security Exception" and "Cancel". Selection of either option brings up the same next alert, "Send Message Error", "Sending of the message failed. Peer's Certificate issuer isn't recognized. The configuration related to smtpauth.earthlink.net must be corrected."

I didn't intentionally change any settings or receive any notification from Earthlink to that effect, so I don't know why any of these protocols would have changed. I can view the smtpauth.earthlink.net certificate but I don't know how to copy it or attach it for diagnostic purposes. Can anyone provide insight regarding what is going on here and how to resolve it? Any solutions will be greatest appreciated.

Hi - I have had gmail and my internet provider email accounts on Thunderbird working for years. Suddenly, a few days ago, I started getting certificate issues from Thunderbird warning me of the security risks. I chose to override. Now I am unable to download (imap) from either email server. I no longer receive the certificate risk dialog box. When I click on File>Get New Messages, message appear at the bottom of the page indicating Thunderbird is "connecting to the imap server" or "checking mail server capabilities", but nothing downloads. What do I need to do to correct this? Access to both servers stopped at the same time so I don't believe anything changed on the server end.

Thanks, Alan

I wish to send an encrypted email. I have imported and accepted the recipient's public key.

When I compose an email to this recipient, the "encrypt" button is disabled.

Also, the security button mentioned in this article is not present on the compose toolbar, or anywhere for that matter https://support.mozilla.org/en-US/kb/openpgp-thunderbird-howto-and-faq#w_how-do-i-send-an-encrypted-or-digitally-signed-email

Windows 11.

Any idea how to fix this?

I have several iterations of installing SMIME on my email account. I know the pf12 file is valid and it works on all my Android systems. However, when I try to send a digitally signed email on Thunderbird under Ubuntu, I get the message that either the SMIME certificate cannot be found or it has expired even though I went through the correct process to install it (and it shows up on the End to End Encryption settings) and when I display it, it indicates an expiry date of 2027. I have also tried to bundle it with the intermediate certificate but I still get the same error. I even tried to create my own personal SMIME certificate and use it (using SSL) and it had the same issue. Anyone have any suggestions?

This is the error I get: "Sending of the message failed. You specified that this message should be digitally signed, but the application either failed to find the signing certificate specified in your Mail & Newsgroup Account Settings, or the certificate has expired."

Do I need to put the SMIME certificate in a specific folder in order for it to be "re-found"

Running Thunderbird 140.8.0esr 64bit Windows 11 Home, v25H2 932GB storage 32GB ram i7-13700k

Recently, I've started getting the following message every time I launch Thunderbird: "The certificate for imap.googlemail.com does not come from a trusted source."

Digging into details I get: "you are about to override how Thunderbird identifies this site" "Location: imap.googlemail.com:993" "This site attempts to identify itself with invalid information" "Unknown Identity. The certificate is not trusted because it hasn't been verified as issued by a trusted authority using a secure signature."

Digging deeper into the certificate I find the issuer is Bitdefender who I use for antivirus and VPN. However, the VPN shows no effect when enabled or disabled. The validity period is 2 Feb 2026 to 27 Apr 2026

l can get email, but cant send it. Is Bitdefender at fault?

I'm stumped. What should I do???

I'm using Thunderbird 140.5.0esr. I have a remote email server on a small "linode" and recently had to restore it from a backup.

When opening Thunderbird, I get the message "The certificate for adonax.com expired on 10/29/2025." I've been getting emails up to and including yesterday.

I ran the renewal program (sudo certbot renew) from the command line of my remote server, and was told the certificate did not need renewing. The "expiry date" is shown to be 2026, March 20 when having certbot display the certificate information.

So, there is some sort of disconnect happening in the communications between Thunderbird and the locations of the certificates on my server. I'm hoping for some advice as to how to trace the path. One possibility is that there is a location on my server that is used to connect to the certs and this is holding stale information due to the recent restore done for the remote server. Another is that maybe there is cached information or something else blocking the request from Thunderbird.

From Thunderbird, I am presented with a form "Add Security Exception". This indicates that thunderbird is contacting the location adonax.com:993. I checked the port from the server using UFW and it is open to all. The Thunderbird form however hangs when I hit the "Get Certificate" button, and clicking the "Confirm Security Exception" appears to do nothing. The button "View..." opens a tab with the expired certificate. All the information on the certificate that is displayed by Thunderbird looks good, matches what I have in terms of URLs, but the dates are wrong.

Is there perhaps something blocking thunderbird from using port 993? Is there a way to test that? If 993 is working, I will try to research what is going on there at the Ubuntu end. I tried putting adonax.com:993 in Chrome and got an ERR_UNSAFE_PORT, for what that is worth.

Hello to all,

I wanted to use DoH (dnsforge.de) under “maximum protection”, but with one exception: I would like Ecosia.org to be able to place ads for me, because I am convinced of Ecosia and want to support this project. Tested this with Cloudflare as well, setting up an exception here does not work either.

Now the exception set in Firefox has no effect. It should not be due to the DNS provider, because Ecosia.org is not blocked and has even been whitelisted.

What is the expected behavior of the “maximum protection” setting?

Kind regards