The Thunderbird Privacy Guide for Dummies!

Thunderbird logo

See the revision history at the end of this document.

hi :)

Thunderbird is a very popular, free, open source, multi-platform, extensible email client. Our goal here will be to further harden it against security and privacy threats by making a bazillion changes to its preferences using a custom user.js preferences file which was inspired by the popular 'ghacks' user.js for Firefox. The fellas running the 'ghacks' user.js project are a well connected and knowledgeable bunch regarding the inner workings of Firefox and a lot of that knowledge applies directly to Thunderbird.

junk you'll need to do

If you’re running Windows you need to unhide file extensions, and i suggest you keep them un-hidden.

You’ll need a decent code editor with syntax highlighting. For Windows, PSPad is nice, simple and free (don't use Notepad). If you’re running Linux you’ve probably got something installed already. Poke around.

While there are many forks and derivatives of Thunderbird, we want only the official release which you can grab here if you're being abused by Microsoft. For Linux users, look in your package manager.

If you have installed Thunderbird for the first time, run it and set up an email address, then close it before doing anything else. This will create the necessary profile directory we will be impregnating in a moment.

don't be a retard

If you're already using Thunderbird, you !!! NEED !!! (did you note the emphasis there?) to make a backup of your current profile. If you don't know where Thunderbird stores your profile, click the Hamburger-looking icon on the toolbar, then expand the 'Help' menu and click the 'Troubleshooting Information' menu item. In the 'Application Basics' section, click the 'Open Directory' label next to the 'Profile Directory' label.

In your file manager you want to move up one directory where you will find your profile folder. If you haven't renamed it, the name will end in .default. Copy that folder (Ctrl+C) and then paste it in the same place (Ctrl+V). When you are prompted for a new name, just append something like -bak to it.

the not necessarily all important user-overrides.js

The user-overrides.js file is where we'll be storing all our custom preferences, as well as any changes we want to make to the 'HorlogeSkynet' user.js which we'll be grabbing in a minute. The contents of this file will then be appended to the user.js file. As i hinted earlier, you will save yourself many a headache if you store your custom preferences in a user-overrides.js file rather than editing the user.js.

I keep a copy of my personal user-overrides.js at my Codeberg repository if you wish to pirate it, in which case you can click on the file name, then click the 'Raw' link and, finally, press Ctrl+S to save the file to your Thunderbird profile directory (here's the direct link). If you'd rather create your own, just create a file named user-overrides.js in your profile directory. If you don't wish to make any changes to the preferences in the user.js file, or add your own preferences, then you don't need a user-overrides.js at all. If you create your own user-overrides.js, you may want to refer to mine for examples and best practices.

IMPORTANT: If you are using my user-overrides.js, it is very important that you open the file in a capable code editor and go through it, line by line, to make sure you're okay with all the preferences. Again, these are my personal preferences and i do not edit them for public consumption.

the totally necessary all important user.js

Note that the 'HorlogeSkynet' user.js file is slanted toward using Thunderbird as an email client and nothing more, so chat and some other non-mail functionality is disabled by default.

To make updating the user.js file as easy as possible, do not edit it! Instead, copy all the preferences you want to change to the 'USER CUSTOM PREFERENCES' section of your user-overrides.js file (if you're using mine). The best way to get the user.js file depends on whether...

...you're running Linux

Download the updater.sh script from my Codeberg repository by clicking on the updater.sh script, then the 'Raw' button, then press Ctrl+S to save it to your Thunderbird profile directory (here's the direct link).

You will need to make the file executable. You could try meditation or sacrificing a goat, but it'd probably be quicker to just right-click on it to open the file properties dialog window and click the 'Is executable' checkbox on the 'Permissions' tab (or similar). If your file browser doesn't have such an option, see How do I run .sh files?.

We need to run that updater.sh script from a terminal, so open one and change the directory to your Thunderbird profile directory. In the example below you'll need to change 'gobbledygook' to match the correct name of your profile folder which might be something along the lines of...

cd ~/.thunderbird/gobbledygook.default/

Now run the updater.sh script by preceding the file name with a dot and a slash:

./updater.sh

The updater script will spit out some introductory stuff and then prompt you to continue. If by chance everything in the universe is aligned just so, and you've followed the directions, the script will download a fresh copy of the 'HorlogeSkynet' user.js file to your profile directory and append the contents of your user-overrides.js to it (if you're using one) just like it says on the tin.

To see all the options for running the updater script, see the Updater Scripts article on the 'ghacks' wiki or run the script with the -h switch (./updater.sh -h).

 

...or Windows

Head over to the HorlogeSkynet/thunderbird-user.js repository at GitHub and click on the user.js file, then click the 'Raw' link, then press Ctrl+S to save the file to your Thunderbird profile directory (here's the direct link). To verify that you placed the user.js file in the correct place, it should be in the same place as the prefs.js file.

If you're using a user-overrides.js file, Thunderbird has no idea what the hell you're doing and so in order to apply the preferences in the user-overrides.js, copy the entire contents of the file and then paste this at the very end of the user.js file, starting on an empty line which you can add if necessary.

 

the prefsCleaner scrubber script

Any time you update the 'HorlogeSkynet' user.js, or edit your user-overrides.js, you should always run the 'ghacks' prefsCleaner.sh (Linux) or prefsCleaner.bat (Windows) script in order to reset any old/removed/depreciated preferences, otherwise they will remain active in Thunderbird's prefs.js file. More information about the prefsCleaner script and how to remove/reset custom preferences you add to your user-overrides.js or user.js file is contained in my user-overrides.js file. Also see Resetting Inactive Prefs [Scripts] in the 'ghacks' user.js wiki. While this document pertains to Firefox, it can be applied to Thunderbird as well.

You can grab the 'ghacks' prefsCleaner.sh (Linux) or prefsCleaner.bat (Windows) script at the GitHub - ghacksuserjs/ghacks-user.js repository. Click on the file name, then click the 'Raw' button, then press Ctrl+S to save it to your Thunderbird profile directory where your user.js file resides (here's the direct link for the Linux version and here's the direct link for the Windows version). If you're using Linux, don't forget to make the script executable.

don't be a fossil

To keep informed of updates to the 'HorlogeSkynet' user.js, you can subscribe to the Recent Commits to thunderbird-user.js:master news feed.

To keep informed of updates to my user-overrides.js, you can subscribe to the Thunderbird category on this website.

To check for a new version ot the 'HorlogeSkynet' user.js manually, say once a month or so, or whenever a new version of Thunderbird is released, go to the HorlogeSkynet/thunderbird-user.js repository at GitHub and click on the user.js file to compare the version with your current version. If a new version is available, then how you update the user.js depends on whether...

... you're running Linux

With Thunderbird closed, run the updater.sh script. You can run it with the -c switch (./updater.sh -c) which will create a 'diff' file that will list all the differences between the old user.js and the new one.

 

... or Windows

With Thunderbird closed, rename your current user.js file by adding .bak to it, then go to the HorlogeSkynet/thunderbird-user.js repository at GitHub and click on the user'js file, then the 'Raw' button, then press Ctrl+S to save it to your Thunderbird profile directory.

 

Each time you update the user.js, be sure to follow it up by running the prefsCleaner script using the same method as described earlier for your operating system. The prefsCleaner script will reset any depreciated, removed, or inactive preferences and it is important that you do this.

and they all lived happily ever after

All done? Great! Your Thunderbird is now 100% hacker proof (assuming you cut your network cable and short out your WiFi, Bluetooth and cellular radios). Seriously, it will be much harder for the sender of an email to violate your privacy or compromise your computer's security.

revision history

28-May-2019

  • first publish

27-Nov-2019

  • added info about prefsCleaner script
  • updated user-overrides.js

28-Nov-2019

  • minor edits

3-Dec-2019

  • added info about updater.sh file for Linux
  • lots of non-critical changes and clarifications

21 thoughts on “The Thunderbird Privacy Guide for Dummies!”

      1. Thks, I will try to investigate with your link. For the time being I tested by doing the following:
        -I uninstalled user.js and user-overrides.js and this is what happened: Cardbook showed the contacts (without me adding the contacts url from my nextcloud again). So I suspect something in user.js or user-overrides.js prevents cardbook to show the contacts (cardbook seems to remember the contact url from my server but doesn’t show the contacts for whatever reason).

        1. couple points…

          * when you’re troubleshooting, you should *always* make a backup of your profile
          * you never have to “uninstall” user.js – you can just rename it (user.js.bak) so Firefox can’t read it
          * Firefox never reads user-overrides.js, so there’s no point in removing it for troubleshooting

          you should read the link i gave, as well as what it says in the user.js and user-overrides.js files

  1. Hi, Thank you for this useful guide.
    When you say: “Any time you update the ‘HorlogeSkynet’ user.js, or edit your user-overrides.js, you should always run the ‘ghacks’ prefsCleaner.sh (Linux) or prefsCleaner.bat (Windows) script in order to reset any old/removed/depreciated preferences, otherwise they will remain active in Thunderbird’s prefs.js file. ”
    Should I run the ghacks’ prefsCleaner.sh when I follow your guide for the 1st time (running ./updater.sh for the 1st time)? And should I run the ghacks’ prefsCleaner.sh before or after running ./updater.sh?

    Thanks.

    1. you can run the prefsCleaner script any time you want, however you should always run it after the ‘HorlogeSkynet’ user.js is updated

      to answer your ? more accurately, no, you don’t have to run it before updater.sh, but you can run it after to clean up any old prefs that may be listed as depreciated, etc., in user.js

      1. Ok, thanks. So I shouldn’t run prefsCleaner script now as I installed user.js for the first time, but I should run it from now on each time I update the user.js… Am I right? Sorry to insist, english isn’t my native language.

          1. I have another problem. When I try to run the prefsCleaner.sh script, it says:

            This script should be run from your Firefox profile directory.
            It will remove any entries from prefs.js that also exist in user.js.
            This will allow inactive preferences to be reset to their default values.
            This Firefox profile shouldn’t be in use during the process.
            1) Start
            2) Help
            3) Exit
            #? 1

            This Firefox profile seems to be in use. Close Firefox and try again.

            Press any key to continue.

            So I can’t run it. But Thunderbird isn’t launched when I try to run ./prefsCleaner.sh … What could cause that? Is there a way to bypass this warning?

            Thank you.

            1. odd – i run Linux also and prefsCleaner.sh doesn’t warn about t-bird OR firefox running even when they are, so there may be a problem with the script (i’ll mention this to the ghacks user.js guys)

              this is the block of code that does the checking:


              while [ -e webappsstore.sqlite-shm ]; do
              echo -e "\nThis Firefox profile seems to be in use. Close Firefox and try again.\n"
              read -p "Press any key to continue."
              done

              you can do this with it and try running the script again…


              #while [ -e webappsstore.sqlite-shm ]; do
              # echo -e "\nThis Firefox profile seems to be in use. Close Firefox and try again.\n"
              # read -p "Press any key to continue."
              #done

              1. Thanks! I tried first adding ‘#’ to the lines but it didn’t work and had an error message on line 34. So I deleted the lines and ran ./prefsCleaner.sh and it worked. I wonder why the check is faulty…

              2. Another question… I edited the user-overrides.js file. Then copied/pasted its content on an empty line at the end of the user.js file. Then ran the prefsCleaner.sh script. Is it the correct procedure?

                Should I then leave the copied/pasted content from the user-overrides.js file in the user.js file? Or leave it there and next time I edit user-overrides.js I copy/past over it?

                1. the updater.sh script will automatically append user-overrides.js to user.js – you don’t have to do it manually, but you can

                  and yes, that needs to stay there (firefox/t-bird doesn’t read user-overrides.js)

              3. And last question (sorry for taking your time). I followed the “INTEGRITY CHECK 1” and have this result (screen shot):
                https://i.imgur.com/wGJcgKV.png

                value is “USER SETTINGS LOADED”
                but you say (in the user-overrides.js file) it should be:
                value is “12bytes.org USER SETTINGS LOADED”

                Is it ok or does it mean I didn’t pass the integrity check?

  2. Good guide, I’d also advise using Enigmail for additional protection though.
    You could also use one of the following private email provides:
    ProtonMail (requires bridge for Thunderbird usage)
    CounterMail (requires premium for IMAP/SMTP support)
    Hushmail
    Mailfence (requires paid plan for IMAP/SMTP)
    Disroot
    Runbox
    Posteo.de
    LuxSci
    mailbox.org
    StartMail

    There are probably other services out there but I think this is enough for now.

Leave a Reply

Your email address will not be published. Required fields are marked *