Status: Production Ready
Layer: 4 (Home-Manager) + 3 (User Setup for ProtonMail)
Security Posture: Hardened (Anti-Phishing)
Geckoforge includes Mozilla Thunderbird as the default email client with hardened security settings to prevent phishing attacks. Links in emails are not clickable by default—you must manually copy and paste URLs to verify them before opening.
- ✅ Clickable links disabled - Prevents accidental clicks on phishing URLs
- ✅ Remote content blocked - No tracking pixels or external images
- ✅ Plain text preference - HTML rendering minimized
- ✅ Telemetry disabled - No data sent to Mozilla
- ✅ JavaScript disabled - Reduces attack surface
When you receive an email with a link:
- Right-click the link text → Copy Link Location
- Inspect the URL in a text editor or terminal
- Verify legitimacy (check domain, look for typos)
- Paste into browser if safe
Example:
# Inspect URL safely
echo "https://example.com/suspicious-link?track=abc123" | grep -E "^https://[a-zA-Z0-9.-]+\.[a-z]{2,}/"IMAP Configuration:
- Server:
imap.gmail.com - Port:
993 - Security:
SSL/TLS - Authentication:
OAuth2(recommended) or App Password
SMTP Configuration:
- Server:
smtp.gmail.com - Port:
587 - Security:
STARTTLS - Authentication:
OAuth2(recommended) or App Password
Prerequisites:
- Enable IMAP: Gmail Settings
- Option A (Recommended): Use OAuth2 (Thunderbird will prompt)
- Option B: Generate App Password:
- Go to Google Account Security
- Enable 2FA if not already enabled
- Generate App Password under "Signing in to Google"
- Use this password in Thunderbird
IMAP Configuration:
- Server:
outlook.office365.com - Port:
993 - Security:
SSL/TLS - Authentication:
OAuth2(recommended)
SMTP Configuration:
- Server:
smtp.office365.com - Port:
587 - Security:
STARTTLS - Authentication:
OAuth2(recommended)
Prerequisites:
- Thunderbird 78+ supports OAuth2 for Outlook automatically
- When adding account, select "OAuth2" as authentication method
- Browser window will open for Microsoft login
- Authorize Thunderbird to access your mailbox
Troubleshooting:
- If OAuth2 not offered, update Thunderbird:
sudo zypper update MozillaThunderbird - Check Microsoft's IMAP settings
ProtonMail uses end-to-end encryption, requiring ProtonMail Bridge to work with Thunderbird.
Run the setup script:
cd ~/git/geckoforge
./scripts/setup-protonmail-bridge.shChoose installation method:
- Flatpak (recommended - sandboxed)
- Official RPM from proton.me/mail/bridge
Start Bridge:
protonmail-bridge --cliOr launch from application menu: ProtonMail Bridge
In Bridge interface:
- Click Sign In and enter ProtonMail credentials
- Enable 2FA if prompted
- Bridge will display IMAP and SMTP credentials
- Copy these credentials (needed for Thunderbird)
IMAP Configuration:
- Server:
127.0.0.1 - Port:
1143 - Security:
STARTTLS - Username: From Bridge (usually your ProtonMail address)
- Password: From Bridge (generated password, NOT your ProtonMail password)
SMTP Configuration:
- Server:
127.0.0.1 - Port:
1025 - Security:
STARTTLS - Username: From Bridge
- Password: From Bridge
Auto-Start Bridge:
# Enable systemd service
systemctl --user enable protonmail-bridge.service
systemctl --user start protonmail-bridge.service
# Check status
systemctl --user status protonmail-bridge.service- Open Thunderbird
- File → New → Existing Mail Account
- Enter:
- Name: Your display name
- Email: Your email address
- Password: (Provider-specific)
- Click Continue
- If auto-detect fails, click Manual Configuration
- Enter server settings from provider section above
- Click Re-test → Done
For Gmail and Outlook:
- Select OAuth2 as authentication method
- Thunderbird will open browser for login
- Authorize Thunderbird
- Return to Thunderbird (should auto-complete)
If you need to enable clickable links temporarily:
- Open Thunderbird
- Settings → Advanced → Config Editor
- Search:
network.protocol-handler.external-default - Double-click to toggle
false→true - Restart Thunderbird
Edit ~/git/geckoforge/home/home.nix:
programs.thunderbird-hardened = {
enable = true;
disableLinks = false; # <-- Change to false
# ... other settings ...
};Rebuild:
home-manager switch --flake ~/git/geckoforge/homeIssue: Right-click → Copy Link Location is grayed out
Solution: The text isn't recognized as a URL. Manually select and copy the text.
Issue: Legitimate email looks broken without images
Solution: Click Load Remote Content button at top of message (per-message basis)
Issue: Need to view HTML email occasionally
Solution: View → Message Body As → Original HTML
Check service:
systemctl --user status protonmail-bridge.service
journalctl --user -u protonmail-bridge.service -fRestart manually:
systemctl --user restart protonmail-bridge.serviceCheck ports:
ss -tlnp | grep -E ':(1143|1025)'Gmail/Outlook OAuth2:
- Clear browser cache and cookies
- Try "Sign in with Google/Microsoft" again
- Check Google App Passwords
ProtonMail Bridge:
- Verify Bridge is running:
systemctl --user status protonmail-bridge - Check Bridge credentials match Thunderbird
- Bridge password is NOT your ProtonMail password
- Generate key:
gpg --full-generate-key - In Thunderbird: Account Settings → End-to-End Encryption
- Import or generate OpenPGP key
- Exchange public keys with contacts
- Obtain certificate from CA (e.g., Comodo, DigiCert)
- Account Settings → End-to-End Encryption → S/MIME
- Import certificate
- Tools → Message Filters for custom rules
- Mark spam to train junk filter
- Use Search Folders to organize
- Thunderbird Support
- Gmail IMAP Settings
- Outlook IMAP Settings
- ProtonMail Bridge Documentation
- OpenPGP in Thunderbird
Geckoforge Project
Email Security Configuration
Rev. 2025-10-11