Introduction to Thunderbird and I2P Mail

Thunderbird is a free, open-source email client developed by Mozilla. First released in 2003, it is cross-platform and officially available for Windows, Linux, and MacOS. The source code is written in C and C++, and the graphical interface uses the GTK framework. Thunderbird features an intuitive interface and supports the SMTP protocol (for sending mail), POP3 (for receiving mail without leaving a copy on the server), and IMAP (for receiving mail that remains on the server). Additionally, it supports NNTP and RSS for news and site updates, as well as IRC and XMPP for instant messaging, though these are not its primary focus.

Email protocols are quite old and lack built-in encryption, except for secure server connections. On the mail server itself, messages are stored as plain text, making them accessible to anyone with direct (even unauthorized) access to the server.

This guide demonstrates how to use an I2P network mail server, which is functionally similar to using Gmail or other services, but with added privacy. To ensure end-to-end encryption from sender to recipient, we’ll use the RNP module, an implementation of the OpenPGP asymmetric encryption standard.

All examples are shown on Windows for simplicity, but the process is similar on other operating systems. This material is for educational purposes only. The author is not responsible for any software errors or for those who use this technology for illegal purposes.

Installing i2pd and Registering a Mailbox

To access the anonymous I2P network, you need to install a special program called an I2P router. For best performance, use i2pd. Installation is straightforward on any OS, so the download and initial launch steps are not covered here. To access hidden sites in your web browser, set up a proxy. In Firefox, go to Settings → Network Settings → Manual proxy configuration. The default i2pd HTTP proxy address is 127.0.0.1:4444.

With your browser configured, you can now access hidden sites! For this example, we’ll use the most popular I2P mail service: hq.postman.i2p, often called “mail.i2p”. To create a new mailbox, select “Creating a mailbox” from the menu.

The service description page notes that within the I2P network, your address will be @mail.i2p, and for external access, @i2pmail.org. It is strictly forbidden to use the service for illegal purposes. After filling out the registration form and confirming your details, you’ll see a summary of your new account. Registration may take up to five minutes. The service supports SMTP and POP3 protocols, and accounts are deleted after 100 days of inactivity.

Once your account is ready, you’ll need to connect to it. Make sure you have Thunderbird installed-download it only from the official site, as it’s free and there’s no need to pirate it.

To access the I2P server via SMTP and POP3, you need to create client tunnels. Don’t worry, this is very simple. Open the tunnels.conf configuration file. On Windows, it’s usually in %APPDATA%\i2pd\; on Debian, it’s /etc/i2pd/.

The file usually contains the necessary tunnels, but they are commented out. Remove the hash signs at the beginning of the [SMTP] and [POP3] sections. If you don’t have a template config file, create a new tunnels.conf in the i2pd working directory (check via the web console) and add the following:

[SMTP]
type = client
address = 127.0.0.1
port = 7659
destination = smtp.postman.i2p
destinationport = 25
keys = smtp-keys.dat

[POP3]
type = client
address = 127.0.0.1
port = 7660
destination = pop.postman.i2p
destinationport = 110
keys = pop3-keys.dat

Restart the I2P router (close and reopen i2pd). You can confirm the SMTP and POP3 tunnels are active by checking “I2P tunnels” in the web console.

If you have the technical skills, you can also run your own mail server in the hidden network and use it similarly.

Configuring Thunderbird

At the top of the Thunderbird interface, find the “Account Settings” button. In the “Account Actions” menu, select “Add Mail Account”.

Enter your registration details. Thunderbird may warn you about the @mail.i2p domain, but you can proceed after acknowledging the warning. By default, incoming mail uses IMAP; switch this to POP3. Enter the addresses and port numbers from your tunnel configuration file. Disable SSL encryption, as I2P already provides security. Authentication is by regular password. The username is your mailbox name without @mail.i2p. When you click “Done”, Thunderbird may warn you about an unencrypted connection-ignore this, as I2P handles encryption.

If clicking “Get Mail” in the top left connects to the server, your setup is correct.

For regular internet mail servers, connection parameters can be found in the service’s documentation or help page.

Setting Up End-to-End Encryption

To enable end-to-end encryption, select your account and click the relevant button on the right side of the screen.

Since August 2020, Thunderbird uses a built-in key store, independent of OS key managers or third-party plugins. You can create or import keys directly in Thunderbird. The built-in key manager allows you to create keys and link a specific key to your mailbox for default decryption and signing. For beginners, we’ll cover creating a new key and using it.

Click “Add Key”, then “Create a New OpenPGP Key”.

The screenshot shows creating a permanent key using elliptic curves, which is more advanced than the default RSA. After creation, the key is automatically linked to your mailbox.

Asymmetric encryption relies on two keys: a private key (for decryption and signing, kept secure) and a public key (shared freely, used for signature verification and encryption). To use your key on another device, make a backup. Expand the key’s details, click “More”, then “Backup Secret Key to File”.

It’s crucial to keep your secret key safe. If someone else gets it, your past encrypted correspondence is compromised, and you’ll need to create a new key and share it with your contacts. Store your secret key securely, ideally in a crypto-container and on an isolated device.

Below on the same page are default encryption and signing settings. It’s recommended to enable both.

Signing uses your key and should be done regardless of whether your recipient has a key. Encryption is only possible if you have the recipient’s public key. The digital signature’s integrity is verified with your public key, which is attached to the message, ensuring the content hasn’t been altered in transit.

When Thunderbird starts, it decrypts its key store. If your computer is compromised, your secret key could be stolen. To protect it, set a master password in Thunderbird’s settings, which will be required to decrypt the key store. The password is requested each time Thunderbird starts; if the correct phrase isn’t entered, the client will still launch, but keys won’t be usable.

Go to “Settings”, then “Privacy & Security”. Check “Use a master password” and create one. Make it strong-this is your last line of defense for your secret keys.

If you forget the master password, all protected data will be lost forever.

Sending and Receiving Encrypted Emails

When composing a new message with these settings, your public key is attached, the message is signed, and, if you have the recipient’s public key, it is encrypted. The recipient’s key is identified in the key store by their email address.

If you don’t have the recipient’s public key, select “Do not encrypt” under the “Security” tab, as you can’t encrypt without it and the message won’t send otherwise.

When the recipient receives your message, they can import your public key and reply with an encrypted and signed message, so you can be sure of the sender’s identity.

A lock and checkmark icon in the message status means the message was encrypted by the sender and successfully decrypted on your end. A certificate icon indicates a digital signature. To verify it, import the sender’s public key into your local key store. If the key is attached, an import button will appear automatically.

After importing, you can verify the signature. Thunderbird won’t show a green trust icon until you manually confirm the key’s authenticity, usually by checking its fingerprint, which is often published on websites, in email signatures, etc.

In this example, the sender’s key fingerprint is in the message. After verifying, confirm the key. The signature icon will then display a green checkmark instead of a yellow warning.

Final Notes

Your key’s fingerprint, used to sign your messages, is your identity. If you need to send a message anonymously, don’t use your usual digital signature.

No encryption method is absolutely secure, as there are other ways to compromise your device or identity. Never open attachments or click links from senders you don’t fully trust.