See the revision history at the end of this document.
Thunderbird is a very popular, free, open source, multi-platform, extensible email client. Our goal here will be to further harden it against security and privacy threats by making a bazillion changes to its preferences using a custom user.js preferences file which was inspired by the popular ‘ghacks’ user.js for Firefox. The fellas running the ‘ghacks’ user.js project are a well connected and knowledgeable bunch regarding the inner workings of Firefox and a lot of that knowledge applies directly to Thunderbird.
junk you’ll need to do
If you’re running Windows you need to unhide file extensions, and i suggest you keep them un-hidden.
You’ll need a decent code editor with syntax highlighting. For Windows, PSPad is nice, simple and free (don’t use Notepad). If you’re running Linux you’ve probably got something installed already. Poke around.
While there are many forks and derivatives of Thunderbird, we want only the official release which you can grab here if you’re being abused by Microsoft. For Linux users, look in your package manager.
If you have installed Thunderbird for the first time, run it and set up an email address, then close it before doing anything else. This will create the necessary profile directory we will be impregnating in a moment.
don’t be a retard
If you’re already using Thunderbird, you !!! NEED !!! (did you note the emphasis there?) to make a backup of your current profile. If you don’t know where Thunderbird stores your profile, click the Hamburger-looking icon on the toolbar, then expand the ‘Help’ menu and click the ‘Troubleshooting Information’ menu item. In the ‘Application Basics’ section, click the ‘Open Directory’ label next to the ‘Profile Directory’ label.
In your file manager you want to move up one directory where you will find your profile folder. If you haven’t renamed it, the name will end in
.default. Copy that folder (Ctrl+C) and then paste it in the same place (Ctrl+V). When you are prompted for a new name, just append something like
-bak to it.
the not necessarily all important user-overrides.js
The user-overrides.js file is where we’ll be storing all our custom preferences, as well as any changes we want to make to the ‘HorlogeSkynet’ user.js which we’ll be grabbing in a minute. The contents of this file will then be appended to the user.js file. As i hinted earlier, you will save yourself many a headache if you store your custom preferences in a user-overrides.js file rather than editing the user.js.
I keep a copy of my personal user-overrides.js at my Codeberg repository if you wish to pirate it, in which case you can click on the file name, then click the ‘Raw’ link and, finally, press Ctrl+S to save the file to your Thunderbird profile directory (here’s the direct link). If you’d rather create your own, just create a file named
user-overrides.js in your profile directory. If you don’t wish to make any changes to the preferences in the user.js file, or add your own preferences, then you don’t need a user-overrides.js at all. If you create your own user-overrides.js, you may want to refer to mine for examples and best practices.
IMPORTANT: If you are using my user-overrides.js, it is very important that you open the file in a capable code editor and go through it, line by line, to make sure you’re okay with all the preferences. Again, these are my personal preferences and i do not edit them for public consumption.
the totally necessary all important user.js
Note that the ‘HorlogeSkynet’ user.js file is slanted toward using Thunderbird as an email client and nothing more, so chat and some other non-mail functionality is disabled by default.
To make updating the user.js file as easy as possible, do not edit it! Instead, copy all the preferences you want to change to the ‘USER CUSTOM PREFERENCES’ section of your user-overrides.js file (if you’re using mine). The best way to get the user.js file depends on whether…...you're running Linux
Download the updater.sh script from my Codeberg repository by clicking on the updater.sh script, then the ‘Raw’ button, then press Ctrl+S to save it to your Thunderbird profile directory (here’s the direct link).
You will need to make the file executable. You could try meditation or sacrificing a goat, but it’d probably be quicker to just right-click on it to open the file properties dialog window and click the ‘Is executable’ checkbox on the ‘Permissions’ tab (or similar). If your file browser doesn’t have such an option, see How do I run .sh files?.
We need to run that updater.sh script from a terminal, so open one and change the directory to your Thunderbird profile directory. In the example below you’ll need to change ‘gobbledygook’ to match the correct name of your profile folder which might be something along the lines of…
Now run the updater.sh script by preceding the file name with a dot and a slash:
The updater script will spit out some introductory stuff and then prompt you to continue. If by chance everything in the universe is aligned just so, and you’ve followed the directions, the script will download a fresh copy of the ‘HorlogeSkynet’ user.js file to your profile directory and append the contents of your user-overrides.js to it (if you’re using one) just like it says on the tin.
To see all the options for running the updater script, see the Updater Scripts article on the ‘ghacks’ wiki or run the script with the
-h switch (
Head over to the HorlogeSkynet/thunderbird-user.js repository at GitHub and click on the user.js file, then click the ‘Raw’ link, then press Ctrl+S to save the file to your Thunderbird profile directory (here’s the direct link). To verify that you placed the user.js file in the correct place, it should be in the same place as the prefs.js file.
If you’re using a user-overrides.js file, Thunderbird has no idea what the hell you’re doing and so in order to apply the preferences in the user-overrides.js, copy the entire contents of the file and then paste this at the very end of the user.js file, starting on an empty line which you can add if necessary.
the prefsCleaner scrubber script
Any time you update the ‘HorlogeSkynet’ user.js, or edit your user-overrides.js, you should always run the ‘ghacks’ prefsCleaner.sh (Linux) or prefsCleaner.bat (Windows) script in order to reset any old/removed/depreciated preferences, otherwise they will remain active in Thunderbird’s prefs.js file. More information about the prefsCleaner script and how to remove/reset custom preferences you add to your user-overrides.js or user.js file is contained in my user-overrides.js file. Also see Resetting Inactive Prefs [Scripts] in the ‘ghacks’ user.js wiki. While this document pertains to Firefox, it can be applied to Thunderbird as well.
You can grab the ‘ghacks’ prefsCleaner.sh (Linux) or prefsCleaner.bat (Windows) script at the GitHub – ghacksuserjs/ghacks-user.js repository. Click on the file name, then click the ‘Raw’ button, then press Ctrl+S to save it to your Thunderbird profile directory where your user.js file resides (here’s the direct link for the Linux version and here’s the direct link for the Windows version). If you’re using Linux, don’t forget to make the script executable.
don’t be a fossil
To keep informed of updates to the ‘HorlogeSkynet’ user.js, you can subscribe to the Recent Commits to thunderbird-user.js:master news feed.
To keep informed of updates to my user-overrides.js, you can subscribe to the Thunderbird category on this website.
To check for a new version ot the ‘HorlogeSkynet’ user.js manually, say once a month or so, or whenever a new version of Thunderbird is released, go to the HorlogeSkynet/thunderbird-user.js repository at GitHub and click on the user.js file to compare the version with your current version. If a new version is available, then how you update the user.js depends on whether…... you're running Linux
With Thunderbird closed, run the updater.sh script. You can run it with the
-c switch (
./updater.sh -c) which will create a ‘diff’ file that will list all the differences between the old user.js and the new one.
... or Windows
With Thunderbird closed, rename your current user.js file by adding
.bak to it, then go to the HorlogeSkynet/thunderbird-user.js repository at GitHub and click on the user’js file, then the ‘Raw’ button, then press Ctrl+S to save it to your Thunderbird profile directory.
Each time you update the user.js, be sure to follow it up by running the prefsCleaner script using the same method as described earlier for your operating system. The prefsCleaner script will reset any depreciated, removed, or inactive preferences and it is important that you do this.
and they all lived happily ever after
All done? Great! Your Thunderbird is now 100% hacker proof (assuming you cut your network cable and short out your WiFi, Bluetooth and cellular radios). Seriously, it will be much harder for the sender of an email to violate your privacy or compromise your computer’s security.
- first publish
- added info about prefsCleaner script
- updated user-overrides.js
- minor edits
- added info about updater.sh file for Linux
- lots of non-critical changes and clarifications