Setting up Thunderbird

sslhappy-ca | dovecot-clientcert | thunderbird | apache-clientcert | firefox

Preferences

Account ettings

Message filters

root
From contains root@
--> CRON

bcc
To or Cc doesn't contain YOUR@EMAIL
To or Cc doesn't contain YOUR-OTHER@EMAIL
--> BCC

otherwise first bcc with exclusion on crontabs, then crontabs

bcc
To or Cc doesn't contain YOUR@EMAIL
From doesn't contain root@

cron
From contains root@

P11-KIT

use an empty /etc/ssl/certs/ca-certificates.crt instead of mozilla’s built-in store.

apt install p11-kit p11-kit-modules

updatedb
locate libnssckbi.so
locate p11-kit-trust.so

mv /usr/lib/thunderbird/libnssckbi.so /usr/lib/thunderbird/libnssckbi.so.dist
cp /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so /usr/lib/thunderbird/libnssckbi.so

mv /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt.dist
touch /etc/ssl/certs/ca-certificates.crt

you will still see some Authorities for some reason mentioned but the list got reduced and maybe not even used

Preferences -> Advanced // Certificates

if you really want to be sure, use a valid LE cert and you will see you get prompted to accept it anyways. I am sorry that’s the best we’ve got so far.

TODO

(UNUSED) Import your ORG’s Root CA

this does not work hence we went for the P11-KIT solution above

the trust store is an NSS Shared DB

apt install libnss3-tools

cd ~/.thunderbird/
find . | grep .db$
cd ./PROFILE.default-release/

cat cert_override.txt
cat pkcs11.txt

cp cert9.db cert9.db.dist
cp key4.db key4.db.dist

# cert9 & key4
certutil -A -n "Nethence Root CA" -t "TC,TC,TC" -i /etc/ssl/ca.crt -d sql:`pwd`
#-t "TC,C,C"
#-t "TC,TC,TC"
#-t "TC,C,T"
#-t "TC,Cw,Tw"

# cert8
#-d dbm:

ls -lF cert*
ls -lF key*

Troubles

not much success with this command

modutil -list

modutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database.

Resources

How to Stop Thunderbird Showing ‘Me’ or ‘You’ instead of Your Own Email Address https://www.kuxas.com/148/how-to-stop-thunderbird-showing-me-or-you-instead-of-your-own-email-address

Client issues and configuration https://wiki2.dovecot.org/Clients

IMAP Folders' names with “/” problems for different platforms https://bugzilla.mozilla.org/show_bug.cgi?id=29926

dovecot-postfix imap configuration for thunderbird https://lists.ubuntu.com/archives/ubuntu-users/2013-January/266533.html

Thunderbird should use \Flagged IMAP flag to indicate “Important” https://bugzilla.mozilla.org/show_bug.cgi?id=335293

p11-kit trust store

https://p11-glue.github.io/p11-glue/trust-module.html https://p11-glue.github.io/p11-glue/sharing-trust-policy.html https://p11-glue.github.io/p11-glue/doc/storing-trust-policy/

Firefox trust system trusted certificates https://bgstack15.wordpress.com/2018/10/04/firefox-trust-system-trusted-certificates/ https://www.techrepublic.com/article/how-to-add-a-trusted-certificate-authority-certificate-to-chrome-and-firefox/ https://askubuntu.com/questions/244582/add-certificate-authorities-system-wide-on-firefox/1036637#1036637 https://support.mozilla.org/en-US/kb/setting-certificate-authorities-firefox

CA/AddRootToFirefox https://wiki.mozilla.org/CA/AddRootToFirefox

nss engine

Setting Up Certificate Authorities (CAs) in Firefox https://support.mozilla.org/en-US/kb/setting-certificate-authorities-firefox

NSS-Crypto.org https://nss-crypto.org/

Network Security Services https://en.wikipedia.org/wiki/Network_Security_Services

NSS Tools: How to configure Thunderbird profile to use a specific signing/encryption certificate? http://mozilla.6506.n7.nabble.com/NSS-Tools-How-to-configure-Thunderbird-profile-to-use-a-specific-signing-encryption-certificate-td342199.html

NSS tools : modutil https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Reference/NSS_tools_:_modutil

nss trust store (default)

https://wiki.mozilla.org/NSS_Shared_DB

https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/tools/NSS_Tools_certutil

https://gist.github.com/ThomasLeister/f55fa9c2e85b506ce00ed91f059f0138

Add certificate authorities system-wide on Firefox https://askubuntu.com/questions/244582/add-certificate-authorities-system-wide-on-firefox

https://me.micahrl.com/blog/mozilla-ssl-nss/ https://stackoverflow.com/questions/1435000/programmatically-install-certificate-into-mozilla http://web.archive.org/web/20150622023251/http://www.computer42.org:80/xwiki-static/exported/DevNotes/xwiki.DevNotes.Firefox.html

http://bahut.alma.ch/2011/07/importing-root-certificates-into.html https://blogs.oracle.com/meena/about-trust-flags-of-certificates-in-nss-database-that-can-be-modified-by-certutil

forensics

https://github.com/nyov/python-ffpassdecrypt/blob/master/firefox_passwd.py

https://github.com/glondu/nss-passwords