Setting up Thunderbird

sslhappy-ca | dovecot-clientcert | thunderbird | apache-clientcert | firefox


Account ettings

Message filters

From contains root@
--> CRON

To or Cc doesn't contain YOUR@EMAIL
To or Cc doesn't contain YOUR-OTHER@EMAIL
--> BCC

otherwise first bcc with exclusion on crontabs, then crontabs

To or Cc doesn't contain YOUR@EMAIL
From doesn't contain root@

From contains root@


use an empty /etc/ssl/certs/ca-certificates.crt instead of mozilla’s built-in store.

apt install p11-kit p11-kit-modules


mv /usr/lib/thunderbird/ /usr/lib/thunderbird/
cp /usr/lib/x86_64-linux-gnu/pkcs11/ /usr/lib/thunderbird/

mv /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt.dist
touch /etc/ssl/certs/ca-certificates.crt

you will still see some Authorities for some reason mentioned but the list got reduced and maybe not even used

Preferences -> Advanced // Certificates

if you really want to be sure, use a valid LE cert and you will see you get prompted to accept it anyways. I am sorry that’s the best we’ve got so far.


(UNUSED) Import your ORG’s Root CA

this does not work hence we went for the P11-KIT solution above

the trust store is an NSS Shared DB

apt install libnss3-tools

cd ~/.thunderbird/
find . | grep .db$
cd ./PROFILE.default-release/

cat cert_override.txt
cat pkcs11.txt

cp cert9.db cert9.db.dist
cp key4.db key4.db.dist

# cert9 & key4
certutil -A -n "Nethence Root CA" -t "TC,TC,TC" -i /etc/ssl/ca.crt -d sql:`pwd`
#-t "TC,C,C"
#-t "TC,TC,TC"
#-t "TC,C,T"
#-t "TC,Cw,Tw"

# cert8
#-d dbm:

ls -lF cert*
ls -lF key*


not much success with this command

modutil -list

modutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database.


How to Stop Thunderbird Showing ‘Me’ or ‘You’ instead of Your Own Email Address

Client issues and configuration

IMAP Folders' names with “/” problems for different platforms

dovecot-postfix imap configuration for thunderbird

Thunderbird should use \Flagged IMAP flag to indicate “Important”

p11-kit trust store

Firefox trust system trusted certificates


nss engine

Setting Up Certificate Authorities (CAs) in Firefox

Network Security Services

NSS Tools: How to configure Thunderbird profile to use a specific signing/encryption certificate?

NSS tools : modutil

nss trust store (default)

Add certificate authorities system-wide on Firefox