See the revision history at the end of this document.
Thunderbird is a very popular, free, open source, multi-platform, extensible email client with calendar and encryption integration. Our goal here will be to further harden it against security and privacy threats by making a bazillion changes to its preferences using a custom user.js preferences file which was inspired by the popular 'arkenfox' user.js for Firefox. The fellas running the 'arkenfox' user.js project are a well connected and knowledgeable bunch regarding the inner workings of Firefox and a lot of that knowledge applies directly to Thunderbird.
junk you'll need to do
If you’re running Windows you need to unhide file extensions, and i suggest you keep them un-hidden.
You’ll need a decent code editor with syntax highlighting. For Windows, PSPad is nice, simple and free (don't use Notepad). If you’re running Linux you’ve probably got something installed already. Poke around.
While there are many forks and derivatives of Thunderbird, we want only the official release which you can grab here if you're being abused by Microsoft. For Linux users, look in your package manager.
If you have installed Thunderbird for the first time, run it and set up an email account, then close it before doing anything else. This will create the necessary profile directory we will be impregnating in a moment.
don't be a retard
If you're already using Thunderbird, you !!! NEED !!! (did you note the emphasis there?) to make a backup of your current profile. If you don't know where Thunderbird stores your profile, click the Hamburger-looking icon on the toolbar, then expand the 'Help' menu and click the 'More Troubleshooting Information' menu item. In the 'Application Basics' section, click the 'Open Directory' button next to the 'Profile Directory' label.
In your file manager you want to move up one directory where you will find your profile folder. If you haven't renamed it, the name will end in
. Copy that folder (Ctrl+C) and then paste it in the same place (Ctrl+V). When you are prompted for a new name, just append something like
the not necessarily important user-overrides.js
The user-overrides.js file is where we'll be storing all our custom preferences, as well as any changes we want to make to the 'HorlogeSkynet' user.js which we'll be grabbing in a minute. The contents of this file will then be appended to the user.js file. You will save yourself many a headache if you store your custom preferences in a user-overrides.js file rather than editing the user.js.
I keep a copy of my personal user-overrides.js at my Codeberg repository if you wish to pirate it, in which case you can click on the file name, then click the 'Raw' link and, finally, press Ctrl+S to save the file to your Thunderbird profile directory (here's the direct link to the file). If you'd rather create your own, just create a file named
in your profile directory. If you don't wish to make any changes to the preferences in the user.js file, or add your own preferences, then you don't need a user-overrides.js at all. If you create your own user-overrides.js, you may want to refer to mine for examples and best practices.
IMPORTANT: If you are using my user-overrides.js, it is very important that you open the file in a capable code editor and go through it, line by line, to make sure you're okay with all the preferences. Again, these are my personal preferences and i do not edit them for public consumption.
the totally necessary all important user.js
Note that the 'HorlogeSkynet' user.js file is slanted toward using Thunderbird as an email client and nothing more, so chat and some other non-mail functionality is disabled by default.
Head over to the HorlogeSkynet/thunderbird-user.js repository at GitHub and click on the user.js file, then click the 'Raw' link, then press Ctrl+S to save the file to your Thunderbird profile directory (here's the direct link). To verify that you placed the user.js file in the correct place, it should be in the same place as the prefs.js file.
Now go through the entire 'HorlogeSkynet' user.js file and read everything. Again, to make updating the user.js file as painless as possible, do not edit it! Instead, copy the preferences you want to change to the 'USER CUSTOM PREFERENCES' section of your user-overrides.js file (if you're using mine).
If you're using a user-overrides.js file, Thunderbird has no idea what the hell that is and so in order to apply the preferences in the user-overrides.js, copy the entire contents of the file and then paste this at the very end of the user.js file beginning on an empty line which you can add if necessary.
the prefsCleaner scrubber script
Any time you update the 'HorlogeSkynet' user.js, or edit your user-overrides.js, you should always run the 'arkenfox' prefsCleaner.sh (Linux) or prefsCleaner.bat (Windows) script in order to reset any old/removed/depreciated preferences, otherwise they will remain active in Thunderbird's prefs.js file. More information about the prefsCleaner script and how to remove/reset custom preferences you add to your user-overrides.js or user.js file is contained in my user-overrides.js file. Also see Resetting Inactive Prefs [Scripts] in the 'arkenfox' user.js wiki. While this document pertains to Firefox, it can be applied to Thunderbird as well.
You can grab the 'arkenfox' prefsCleaner.sh (Linux) or prefsCleaner.bat (Windows) script at the GitHub - arkenfox/user.js/arkenfox/user.js repository. Click on the file name, then click the 'Raw' button, then press Ctrl+S to save it to your Thunderbird profile directory where your user.js file resides (here's the direct link for the Linux version and here's the direct link for the Windows version). If you're using Linux, don't forget to make the script executable, either from a menu in your file manager or from a terminal:
$ chmod +x prefsCleaner.sh
To run the script in a Linux environment:
don't be a fossil
To keep informed of updates to the 'HorlogeSkynet' user.js, you can subscribe to the Recent Commits to thunderbird-user.js:master news feed.
To keep informed of updates to my user-overrides.js, you can subscribe to the news feed for the Thunderbird category on this website.
To check for a new version of the 'HorlogeSkynet' user.js, which you should do once a month or so, or whenever a new version of Thunderbird is released, go to the HorlogeSkynet/thunderbird-user.js repository at GitHub and click on the user.js file to compare the version with your current version.
Each time you update the 'HorlogeSkynet' user.js, be sure to exit Thunderbird and run the prefsCleaner script. The prefsCleaner script will reset any depreciated, removed, or inactive preferences and it is important that you do this.
and they all lived happily ever after
All done? Great! Your Thunderbird is now 100% hacker proof (assuming you cut your network cable and short out your WiFi, Bluetooth and cellular radios). Seriously, it will be much harder for the sender of an email to violate your privacy or compromise your computer's security provided you don't do stupid things like opening unsolicited attachments (or any attachments if you can avoid them).
- rewrote parts of the documents and corrected some minor errors
- fixed an incorrect link (thanks to Damien)
- added info about updater.sh file for Linux
- lots of non-critical changes and clarifications
- minor edits
- added info about prefsCleaner script
- updated user-overrides.js
- first version published