Tails includes Thunderbird for:

  • Reading and writing emails - Reading RSS and Atom feeds for news and blogs

To start Thunderbird choose Applications ▸ Internet ▸ Thunderbird.

To store your emails, feeds, and settings across different working sessions, turn on the Thunderbird feature of the Persistent Storage.

For more detailed documentation, refer to the official Thunderbird help.

Configuring an email account

  1. When starting Thunderbird for the first time, an assistant appears to guide you through the process of configuring Thunderbird to access your email account.

    To start this assistant again in the future from the main window of Thunderbird, choose Menu ▸ Account Settings and then, from the Account Settings dialog, choose Account Actions ▸ Add Mail Account….

  2. Enter your name, email address, and password into the corresponding fields.

  3. Click Continue.

  4. The assistant tries to configure automatically the correct settings to connect to your email provider based on your email address.

    If the automatic configuration fails, consult your email provider about how to configure your email account manually.

    Configuring a Gmail account

    If you are using Gmail, you need to first configure your account to allow access from other email clients, such as Thunderbird.

    To configure your Gmail account to allow access from Thunderbird, you need to:

    1. Enable IMAP or POP. See Gmail Help: Check Gmail through other email platforms.
    2. Turn on 2-Step Verification. See Google Account Help: 2-Step Verification.
    3. Create an App Password. See Gmail Help: Sign in with App Passwords.
    4. Use the App Password in Thunderbird.

  5. If the automatic configuration succeeds, you might have to specify which protocol to use to connect to your email provider, either IMAP or POP.

    • With IMAP, Thunderbird constantly synchronizes with the server and displays the emails and folders that are currently stored on the server. IMAP is better suited if you access your emails from different operating systems.

    • With POP, Thunderbird downloads the emails that are in the inbox on the server and possibly deletes them from the server. POP is better suited if you access your emails from Tails only and store them in the Persistent Storage.

    To know more, see also this comparison between POP and IMAP by Riseup.

Enhanced privacy

Thunderbird in Tails is configured for additional privacy and anonymity.

For example, Thunderbird in Tails:

  • Removes information about the language of your session or spellchecker from the headers of the emails that you send.
  • Removes information that could identify you as a Tails user from the headers of your emails.
  • Only allows secure protocols and disables insecure protocols, like SSLv3.
  • Disables tracking technologies, like cookies and JavaScript, when viewing emails or feeds in HTML.

Emails and feeds in HTML format are displayed in plain text by default and can become harder to read.

These enhancements are inherited from the former TorBirdy extension. To learn more about the security properties provided by this configuration, you can read the TorBirdy design document.

Using Thunderbird in your language

To use Thunderbird in your language, you can install the thunderbird-l10n-lang package using the Additional Software feature. Replace lang with the code for your language. For example, es for Spanish or de for German.

OpenPGP encryption

Since Tails 4.13 (November 2020), Thunderbird 78 replaces the Enigmail extension with built-in support for OpenPGP encryption. If you used Enigmail before Tails 4.13, follow our migration instructions.

See also the official OpenPGP in Thunderbird - HOWTO and FAQ.

Setting up a Master Password (recommended)

In Thunderbird, OpenPGP private keys are not protected by a passphrase. That's why we recommend that you set up a Master Password.

With a Master Password, your private key is encrypted in your Thunderbird profile and is only unlocked while Thunderbird is running. If your Thunderbird profile is stored in your Persistent Storage, then your private key is encrypted twice: once by Thunderbird in your profile and a second time by the encryption of the Persistent Storage.

  1. Choose Menu ▸ Preferences.

  2. Choose Privacy & Security.

  3. In the Passwords section, select the option Use a master password.

  4. In the Change Master Password dialog, enter your Master Password and click Ok.

Importing an existing private key

Thunderbird uses a different keyring than GnuPG.

If you already have an OpenPGP private key outside of Thunderbird, follow the instructions below to export it from GnuPG and import it into Thunderbird.

Export your private key using the Passwords and Keys utility

From the desktop:

  1. Choose Applications ▸ Utilities ▸ Passwords and Keys.

  2. In the left pane, choose GnuPG keys.

  3. In the right pane, double-click on the private key that you want to export and use in Thunderbird.

  4. In the Details tab of the properties dialog, click Export.

  5. Save your private key in your Home directory.

  6. Close the Passwords and Keys utility.

Import your private key in Thunderbird

In Thunderbird:

  1. Choose Menu ▸ Account Settings.

  2. In the left pane, identify the account that corresponds to the private key that you want to import and choose End-to-End Encryption.

  3. In the right pane, click the Add Key… button.

  4. In the Add a Personal OpenPGP Key dialog, choose Import an existing OpenPGP Key and click Continue.

  5. Click the Select File to Import… button and choose the private key that your exported from the Passwords and Keys utility.

  6. In the next dialog, make sure that your private key is listed and that the option Treat this key as a Personal Key is selected.

  7. Click Continue, enter the passphrase for your private key (if any), and click Continue again.

    Your private key should now be listed in the End-to-End Encryption settings of your account.

  8. Select your private key to enable OpenPGP encryption for this account.

Generating a new OpenPGP private key

  1. Choose Menu ▸ Account Settings.

  2. In the left pane, identify the account that corresponds to the private key that you want to import and choose End-to-End Encryption.

  3. In the right pane, click the Add Key… button.

  4. In the Add a Personal OpenPGP Key dialog, choose Create a new OpenPGP Key.

  5. Review the settings in the next dialog, click the Generate key button, and then click Confirm.

    Your private key should now be listed in the End-to-End Encryption settings of your account.

Encrypting an email

To prevent you from sending unencrypted emails by mistake, Thunderbird in Tails is configured with the option Require Encryption turned on by default.

With the option Require Encryption, Thunderbird tries to encrypt every email before sending it.

To send an unencrypted email, in the composition window, choose Security and deselect the option Require Encryption.

We are unsatisfied with how the option Require Encryption works. Instead, Thunderbird should automatically encrypt when a public key is available and not try to encrypt otherwise.

The developers of Thunderbird want to provide such an option to "encrypt when possible" in future versions.

When sending an encrypted email:

  • If you already have a public key for the recipient and have marked it as accepted, Thunderbird encrypts the email and sends it.

  • If you already have a public key for the recipient but have not marked it as accepted yet, Thunderbird fails to send the email.

    To mark the public key as accepted:

    1. In the error message, click Close.

    2. In the OpenPGP Message Security dialog, select the recipient that is marked as not accepted key and click the Manage keys for selected recipient… button.

      If the recipient is marked as no key available, you don't yet have a public key for them.

    3. In the next dialog, select the public key of your recipient and click the Open details and edit acceptance… button.

    4. In the Your Acceptance tab of the Key Properties dialog, select the option that applies to how much you verified the public key.

  • If you don't have a public key for the recipient, Thunderbird also fails to send the email.

    To look for a public key for this email address on the keys.openpgp.org keyserver:

    1. In the error message, click Close.

    2. In the OpenPGP Message Security dialog, select the recipient that is marked as not accepted key and click the Manage keys for selected recipient… button.

    3. Click the Discover new or updated key button.

      If no public key can be found, ask the recipient to send you their public key.

      If a public key for this email address is found, choose to import it.

    4. In the OpenPGP Message Security dialog, select the public key that was imported in the previous step and click the Open details and edit acceptance… button.

    5. In the Your Acceptance tab of the Key Properties dialog, select the option that applies to how much you verified the public key.