See the revision history at the end of this document.
hi :)
Thunderbird is a very popular, free, open source, multi-platform, extensible email client with included calendar functionality and encryption. Our goal here will be to further harden it against security and privacy threats by making a bazillion changes to its preferences using a custom user.js preferences file which was inspired by the popular 'arkenfox' user.js for Firefox. The fellas running the 'arkenfox' user.js project are a well connected and knowledgeable bunch regarding the inner workings of Firefox and a lot of that knowledge can be applied to Thunderbird as well.
junk you'll need to do
If you’re running Windows you need to unhide file extensions, and i suggest you keep them un-hidden.
You’ll need a decent code editor with syntax highlighting. For Windows, PSPad is nice, simple and free (don't use Notepad). If you’re running Linux you’ve probably got something installed already.
While there are many forks and derivatives of Thunderbird, we want only the official release which you can grab here if you're being abused by Microsoft. For Linux users, look in your package manager.
If you have installed Thunderbird for the first time, run it and set up an email account, then close it before doing anything else. This will create the necessary profile directory we will be impregnating in a moment.
don't be a retard
If you're already using Thunderbird, you !!! NEED !!! (did you note the emphasis there?) to make a backup of your current profile. If you don't know where Thunderbird stores your profile, click the Hamburger-looking icon on the toolbar, then expand the 'Help' menu and click the 'More Troubleshooting Information' menu item. In the 'Application Basics' section, click the 'Open Directory' button next to the 'Profile Directory' label.
In your file manager you want to move up one directory where you will find your profile folder. If you haven't renamed it, the name will end in .default. Copy that folder (Ctrl+C) and then paste it in the same place (Ctrl+V). When you are prompted for a new name, just append something like -bak to it.
the not necessarily important user-overrides.js
The user-overrides.js file is where we'll be storing all our custom preferences, as well as any changes we want to make to the 'HorlogeSkynet' user.js which we'll be grabbing in a minute. The contents of this file will then be appended to the user.js file. You will save yourself many a headache if you store your custom preferences in a user-overrides.js file rather than editing the user.js file since the next update will trash any changes you made.
I keep a copy of my personal user-overrides.js at my Codeberg repository if you wish to pirate it, in which case you can click on the file name, then click the 'Raw' link and, finally, press Ctrl+S to save the file to your Thunderbird profile directory (here's the direct link to the file). If you'd rather create your own, just create a file named user-overrides.js in your profile directory. If you don't wish to make any changes to the preferences in the user.js file, or add your own preferences, then you don't need a user-overrides.js at all. If you do create you may want to refer to mine for examples and best practices.
IMPORTANT: If you are using my user-overrides.js, it is very important that you open the file in a capable code editor and go through it, line by line, to make sure you're okay with all the preferences. Again, these are my personal preferences and i do not edit them for public consumption.
the totally necessary all important user.js
Note that the 'HorlogeSkynet' user.js file is slanted toward using Thunderbird as an email client and nothing more, so chat and some other non-mail functionality is disabled by default.
Head over to the HorlogeSkynet/thunderbird-user.js repository at GitHub and click on the user.js file, then click the 'Raw' link, then press Ctrl+S to save the file to your Thunderbird profile directory (here's the direct link). To verify that you placed the user.js file in the correct place, it should be in the same place as the prefs.js file.
Now go through the entire 'HorlogeSkynet' user.js file and read everything. Again, to make updating the user.js file as painless as possible, do not edit it! Instead, copy the preferences you want to change to the 'USER CUSTOM PREFERENCES' section of your user-overrides.js file.
If you're using a user-overrides.js file, Thunderbird has no idea what the hell that is and so in order to apply those preferences you need to copy the entire contents of the file and paste this at the very end of the 'HorlogeSkynet' user.js file beginning on an empty line.
the prefsCleaner scrubber script
Any time you update the 'HorlogeSkynet' user.js, or edit your user-overrides.js, you should always run the 'arkenfox' prefsCleaner.sh (Linux) or prefsCleaner.bat (Windows) script in order to reset any old/removed/depreciated preferences, otherwise they will remain active in Thunderbird. More information about the prefsCleaner script and how to remove/reset custom preferences you add to your user-overrides.js or user.js file is contained in my user-overrides.js file. Also see prefsCleaner section in the 'arkenfox' user.js wiki. While this document pertains to Firefox, it can be applied to Thunderbird as well.
You can grab the 'arkenfox' prefsCleaner.sh (Linux) or prefsCleaner.bat (Windows) script at the GitHub - arkenfox/user.js/arkenfox/user.js repository. Click on the file name, then click the 'Raw' button, then press Ctrl+S to save it to your Thunderbird profile directory where your user.js file resides (here's the direct link for the Linux version and here's the direct link for the Windows version). If you're using Linux, don't forget to make the script executable, either from a menu in your file manager or from a terminal:
$ chmod +x prefsCleaner.sh
To run the script in a Linux environment:
$ ./prefsCleaner.sh
don't be a fossil
To be informed of updates to the 'HorlogeSkynet' user.js, you can subscribe to the Recent Commits to thunderbird-user.js:master news feed.
To be informed of updates to my user-overrides.js, you should subscribe to the news feed on my Codeberg repository.
To check for a new version of the 'HorlogeSkynet' user.js, which you should do once a month or so, or whenever a new version of Thunderbird is released, go to the HorlogeSkynet/thunderbird-user.js repository at GitHub and click on the user.js file to compare the version with your current version.
Each time you update the 'HorlogeSkynet' user.js, be sure to exit Thunderbird and run the prefsCleaner script to reset any depreciated, removed, or inactive preferences.
and they all lived happily ever after
All done? Great! Your Thunderbird is now 100% hacker proof (assuming you cut your network cable and short out your WiFi, Bluetooth and cellular radios). Seriously, it will be much harder for the sender of an email to violate your privacy or compromise your computer's security provided you don't do stupid things like opening unsolicited attachments (or any attachments if you can avoid them).
revision history
18-Apr-2023
- minor changes
7-Jul-2022
- rewrote parts of the documents and corrected some minor errors
- fixed an incorrect link (thanks to Damien)
3-Dec-2019
- added info about updater.sh file for Linux
- lots of non-critical changes and clarifications
28-Nov-2019
- minor edits
27-Nov-2019
- added info about prefsCleaner script
- updated user-overrides.js
28-May-2019
- first version published
Good guide, I’d also advise using Enigmail for additional protection though.
You could also use one of the following private email provides:
ProtonMail (requires bridge for Thunderbird usage)
CounterMail (requires premium for IMAP/SMTP support)
Hushmail
Mailfence (requires paid plan for IMAP/SMTP)
Disroot
Runbox
Posteo.de
LuxSci
mailbox.org
StartMail
There are probably other services out there but I think this is enough for now.
thanks for the comment
an alternative to Enigmail for those interested is Autocrypt
and one mail provider i’d add to your nice list is Lavabit – yes, Ladar is back in business :)
i use and like Runbox
Hi, Thank you for this useful guide.
When you say: “Any time you update the ‘HorlogeSkynet’ user.js, or edit your user-overrides.js, you should always run the ‘arkenfox’ prefsCleaner.sh (Linux) or prefsCleaner.bat (Windows) script in order to reset any old/removed/depreciated preferences, otherwise they will remain active in Thunderbird’s prefs.js file. ”
Should I run the arkenfox’ prefsCleaner.sh when I follow your guide for the 1st time (running ./updater.sh for the 1st time)? And should I run the arkenfox’ prefsCleaner.sh before or after running ./updater.sh?
Thanks.
you can run the prefsCleaner script any time you want, however you should always run it after the ‘HorlogeSkynet’ user.js is updated
to answer your ? more accurately, no, you don’t have to run it before updater.sh, but you can run it after to clean up any old prefs that may be listed as depreciated, etc., in user.js
Ok, thanks. So I shouldn’t run prefsCleaner script now as I installed user.js for the first time, but I should run it from now on each time I update the user.js… Am I right? Sorry to insist, english isn’t my native language.
you can run the cleaner script any time, even before you run the updater script
just be sure to always run it after the updater script updates user.js
make sense?
Yes, it makes sense, thank you. :-)
I have another problem. When I try to run the prefsCleaner.sh script, it says:
”
This script should be run from your Firefox profile directory.
It will remove any entries from prefs.js that also exist in user.js.
This will allow inactive preferences to be reset to their default values.
This Firefox profile shouldn’t be in use during the process.
1) Start
2) Help
3) Exit
#? 1
This Firefox profile seems to be in use. Close Firefox and try again.
Press any key to continue.
”
So I can’t run it. But Thunderbird isn’t launched when I try to run ./prefsCleaner.sh … What could cause that? Is there a way to bypass this warning?
Thank you.
odd – i run Linux also and prefsCleaner.sh doesn’t warn about t-bird OR firefox running even when they are, so there may be a problem with the script (i’ll mention this to the arkenfox user.js guys)
this is the block of code that does the checking:
while [ -e webappsstore.sqlite-shm ]; do
echo -e "\nThis Firefox profile seems to be in use. Close Firefox and try again.\n"
read -p "Press any key to continue."
done
you can do this with it and try running the script again…
#while [ -e webappsstore.sqlite-shm ]; do
# echo -e "\nThis Firefox profile seems to be in use. Close Firefox and try again.\n"
# read -p "Press any key to continue."
#done
Thanks! I tried first adding ‘#’ to the lines but it didn’t work and had an error message on line 34. So I deleted the lines and ran ./prefsCleaner.sh and it worked. I wonder why the check is faulty…
i don’t know, but i informed the developer about it
Another question… I edited the user-overrides.js file. Then copied/pasted its content on an empty line at the end of the user.js file. Then ran the prefsCleaner.sh script. Is it the correct procedure?
Should I then leave the copied/pasted content from the user-overrides.js file in the user.js file? Or leave it there and next time I edit user-overrides.js I copy/past over it?
the updater.sh script will automatically append user-overrides.js to user.js – you don’t have to do it manually, but you can
and yes, that needs to stay there (firefox/t-bird doesn’t read user-overrides.js)
And last question (sorry for taking your time). I followed the “INTEGRITY CHECK 1” and have this result (screen shot):
https://i.imgur.com/wGJcgKV.png
value is “USER SETTINGS LOADED”
but you say (in the user-overrides.js file) it should be:
value is “12bytes.org USER SETTINGS LOADED”
Is it ok or does it mean I didn’t pass the integrity check?
yes, you passed – i fixed the typo in the file and will upload later
Ok, thank you for your kind help and explanations.
Hello,
When using user.js and your user-overrides.js with the cardbook addon https://addons.thunderbird.net/en-US/thunderbird/addon/cardbook/ , the adress book (remote adress book I have on my nextcloud server) is forgotten each time I close/start Thunderbird. I have to re-enter the url of my adress book and credentials each time I start Thunderbird.
Do you know what can cause this behaviour?
Thank you.
i would suspect the problem is blocked cookies, but if it’s more than that then see this
Thks, I will try to investigate with your link. For the time being I tested by doing the following:
-I uninstalled user.js and user-overrides.js and this is what happened: Cardbook showed the contacts (without me adding the contacts url from my nextcloud again). So I suspect something in user.js or user-overrides.js prevents cardbook to show the contacts (cardbook seems to remember the contact url from my server but doesn’t show the contacts for whatever reason).
couple points…
* when you’re troubleshooting, you should *always* make a backup of your profile
* you never have to “uninstall” user.js – you can just rename it (user.js.bak) so Firefox can’t read it
* Firefox never reads user-overrides.js, so there’s no point in removing it for troubleshooting
you should read the link i gave, as well as what it says in the user.js and user-overrides.js files
Thks for the tips.
After putting the user.js and your user-overrides.js into practice I can no longer add a new email account. I cannot work out why.
I started with a new blank profile. After starting Thunderbird I only added 1 account and closed Thunderbird. Then put the user-overrides.js, updater.sh and prefsCleaner.sh into the Thunderbird profile directory. Ran the updater and prefsCleaner scripts. Thunderbird starts and works perfectly fine, but I cannot add any additional email accounts.
The option in the user UI to add an account is available and when I click it the dialog to add the new account opens. I can type in all of the required information but nothing happens when I click the Continue button. I can click on “Manual config” and if I check the settings it all looks ok but on this menu the “Done” button is grayed out. It is definitely something in the hardening that causes this.
I have created two hardened profiles, on the Thunderbird I use for personal and the one I use for work, both behave exactly the same.
Do you have any idea why?
[SECTION 6000]: THUNDERBIRD (AUTO CONFIG / UI / HEADERS / ADDRESS BOOK)in user.js – just reset those prefsran into the same problem myself but never updated user-overrides
more here
Ok I see the problem with the account adding wizard (taking into consideration that user.js disables server auto-config). The “Port” , “SSL” , “Authentication” options on the “Manual config” window also needs to be set manually for the buttons to become enabled.
I do understand the privacy concerns though with using the auto-config because that sends info to Mozilla.
Thanks!
Do you know if Interlink Mail is a good alternative to Thunderbird? I’m only concerned about the smaller development team not being about to patch out security issues but considering Thunderbird’s team also keeps downsizing, I’m not sure that really matters.
sorry, i know nothing about Interlink Mail – however, i believe Mozilla is working on Thunderbird once again – correct me if i’m wrong
just wanted to ask – is the latest/current thunderbird user.js v78.1 still recommended as the current version of thunderbird is at v91.4.1
thank you
yes – look here
What happened to the updater.sh script? i no longer see any mention of it in your article. I still have a copy which i use and it seems to work as expected, so just wondering.
Your article now instead instructs to copy and paste the contents of the user-overrides.js file to the end of the user.js file.
the updater script was made using the script for the arkenfox user.js but i never kept up with the changes they made, which is why i dumped it – you can use theirs if you want, you’ll just have to make a few changes
It still works as is though. I didn’t think anything in it would really need to change unless i guess the download location for the user.js file changes. Otherwise it still downloads the latest user.js file and appends the user-overrides.js.
Maybe worth putting it back? You know, for dummies. :-)
for me it’s unnecessary and i don’t like publishing stuff i don’t use myself or don’t have an interest in maintaining
There is something else that i have been meaning to ask you for a long time. Usually when you reply to a message in a mail client the original message is copied to the new mail and the header is copied that shows the date time etc of the original message being replied to. The same happens when you forward an email.
However, after i apply the user.js file and i reply to a message the header is no longer copied. It is still copied when i forward but not when i reply. Do you know why that would be?
no idea – i never noticed this – you can do the process of elimination thing to find the pref that’s causing this