Enigmail can be fine-tuned to tailor your needs. Here we'll illustrate the many configuration options of Enigmail.
If you use GnuPG and configured it manually, please note that these preferences will override any similar entry in the GnuPG configuration file gpg.conf.
To access the Enigmail preferences select Enigmail → Preferences from the menu bar. This will initially bring up the Basic preferences, which control the basic functioning of Enigmail.
Files and Directories shows where GnuPG was found. Enigmail tries to locate automatically the GnuPG executable file upon its start. Typical locations are C:\Program Files (x86)\GNU\GnuPG\gpg2.exe for Windows and /usr/local/bin/gpg2 for Linux and Mac OS X. If however Enigmail can't manage to find GnuPG, or you want to specify that location manually, tick Override with and enter the path to the GnuPG executable file.
You will be asked for your passphrase every time it needs to access your private key, for instance whenever you sign, decrypt, or change your key pair properties. It is often cumbersome to have to type the passphrase all the time, and you might be tempted to choose a passphrase that's short and simple to type, which is a bad idea. Instead, you should set a caching time for your passphrase. You can do this by entering the desired number of minutes in the field Remember passphrase for [ ] minutes of idle time. In the picture shown here, you will not be asked for the passphrase for 10 minutes. You will be asked for the passphrase again when either the specified caching time has expired, or simply you restarted the computer. Read more about passphrase handling here.
Be careful not to leave your computer unattended while the passphrase is stored in the cache. If you do so, anybody accessing your computer will be able to send email messages signed on your behalf, or read your encrypted mail.
The Display / Hide Expert Settings and Menus toggle button allows you to access the Expert preferences by activating four additional tabs.
Finally, the Reset button allows you to reset all configuration settings to their default.
The Sending tab of the Preferences shows the options for sending encrypted mails. It is always accessible, even if you haven't enabled the Expert settings. These settings define how Enigmail will behave when sending secured mail.
By default, Convenient encryption settings are enabled. This ensures an easy start for beginners by providing that all sub-settings are set to default values, as shown in the above picture. With these settings, emails are encrypted without confirmation whenever possible. However, with this setting there is a risk that you accidentally use fake keys i.e. keys that don't really belong to the person you want to send emails to. To avoid this risk, you can either use the PGP trust model or always verify that the fingerprint of a public key is correct.
Advanced users might want to switch to Manual encryption settings which permits to define all sub-settings.
Encrypt/sign replies to encrypted/signed messages (checked by default) automatically switches on encryption/signing when composing a reply to an encrypted/signed message. This is a smart thing to do, especially if you quote the original message.
Automatically send encrypted:
- Never - never try to automatically send encrypted;
- If possible (default) - send encrypted when you have all public keys of the recipients (everyone in To, Cc, and Bcc).
To send encrypted, accept:
- Only trusted keys - do not allow you to encrypt a message with keys that are not valid (this is the usual GnuPG behaviour);
- All usable keys (default) - allow you to encrypt a message with any key which is not expired, revoked, or disabled.
Confirm before sending controls a confirmation dialog that would pop up before sending any message, so that you can check the signing, encryption, and S/MIME status:
- Never (default) - select this option if you send S/MIME signed or encrypted messages from time to time;
- Always - always prompt for confirmation;
- If encrypted - prompt only when mail is going to be sent encrypted;
- If unencrypted - prompt only when mail is going to be sent unencrypted;
- If rules changed the default encryption setting - prompt only when Per-Recipient Rules changed the default encryption setting (useful to detect when a rule switched off encryption).
This tab is accessible only if you have enabled Expert settings in the Basic tab.
These settings define how Enigmail will select, for each recipient, the public keys with which encrypt a message. The options enable different ways to get the correct key. Enigmail will process, in order, all options that have been checked, and will stop as soon as one of the options results in a match.
- By Per-Recipient Rules (checked by default) - choose the key depending on per-recipient rules;
- By E-Mail-Addresses according to the key manager (checked by default) - select the key whose User ID matches the recipients mail address;
- Manually if keys are missing (checked by default) - if the above options don't result in a match, pop up the Key Selection window to let you choose the keys manually;
- Always (also) manually - always pop up the Key Selection window to let you choose the keys manually. If one of the above options are selected and have found suitable keys, they will be preselected.
The Edit Rules... button opens the Per-Recipient Rules Editor window.
This tab is accessible only if you have enabled Expert settings in the Basic tab.
These settings define miscellaneous OpenPGP and Enigmail options.
If you use HTML to compose email messages, messages signed with the Inline PGP standard (which was the default in Enigmail until v1.8 included; the default from v1.9 onward is PGP/MIME) need to be re-wrapped before they can be sent, in order to avoid invalid signatures. We recommend you leave enabled the option Re-wrap signed HTML text before sending, unless you have problems caused by re-wrapping.
Add Enigmail comment in OpenPGP signature adds the comment line Comment: Using GnuPG with Thunderbird - http://www.enigmail.net to the OpenPGP signature block. Note that you can add any comment to the OpenPGP signature by calling GnuPG with the parameter "--comment your_comment" (see below to learn how to specify additional parameters to the GnuPG executable).
When signing, lines starting with a dash (-) are replaced with two dashes separated by a space (- -) according to the OpenPGP standard. This however makes a double-dash line (--) no longer appear as a separator between the message body and a personal signature, usually displayed in grey. By enabling the option '--' is a signature separator Enigmail makes some workaround to correctly handle the signature separator when reading and composing messages.
Usually, email addresses are surrounded by angle brackets (< >) to separate the full name part from the email part, e.g. John Random Hacker <firstname.lastname@example.org>. Deactivating the option Use '<' and '>' to specify email addresses removes the brackets from email addresses. This is necessary to ensure compatibility with some provider service, like Hushmail, that does not support brackets in email addresses. Hushmail is a provider for OpenPGP encryption over the web, but keys generated with Hushmail are not fully compatible to OpenPGP. This option should be normally turned on when encrypting, as Enigmail relies on it to avoid potential confusions and hence security problems, but needs to be turned off for Hushmail keys.
Only download attachments when opened (IMAP only) enables an IMAP feature that makes Thunderbird download only the first 35-40 Kb of a message, downloading attachments only on demand. However, if an encrypted message is larger than this size, it may happen that it is downloaded only in part, its end will be missing, and hence Enigmail will fail to decrypt it. If you use an IMAP inbox, and notice that Thunderbird sees some of your mails as broken or reports an error when trying to decrypt them, disable this option. Thunderbird will then download the complete message at once. Alternatively, you can click on the broken lock to download the message in full.
The text field Additional parameters for GnuPG allows you to have Enigmail call the GnuPG executable with the additional parameters you prefer.
Finally, the Reset Warnings button controls the way Enigmail pops up the interactive dialogs asking you to make a choice. If you ever asked Enigmail to remember your choice for the future (for instance when choosing how Enigmail should sign/encrypt attachments), clicking this button will have Enigmail prompt you the dialog again when needed.
This tab is accessible only if you have enabled Expert settings in the Basic tab.
These are the options related to keyservers used by Enigmail to search and download public keys.
The text field Specify your keyserver(s) allows you to specify a list of OpenPGP keyservers. These keyservers will be proposed to you next time you launch a search for a person's public key on a keyserver.
If you tick Always use first keyserver, only the first keyserver of the list will be queried for keys.
You may prepend a protocol to the name of a keyserver, e.g. hkp://keyserver.example.com or ldap://certserver.pgp.com.
If you want, you may enter a keyserver name in the field Automatically download keys for signature verification from the following keyserver. Enigmail will then automatically try to download every public key needed to verify signed messages from the keyserver specified in this field. If you use this option, please specify only one name.
This tab is always accessible, even if you haven't enabled Expert settings in the Basic tab.
The options in this tab are pretty self-explanatory: they allow you to export (Export Settings and Keys) or restore (Restore Settings and Keys) your whole Enigmail configuration. This is very useful as a backup, or when you've installed Enigmail on another machine and you want to migrate all settings.
Just be warned that the backup contains your private key(s), so it should be considered sensitive material and not be left lying around.
Clicking on Export Settings and Keys will present you with the following window:
Just specify the file on which you want to store the backup, then click Continue.
Your configuration will be backed up. If you're asked for the passphrase of your private key(s), type it.
Enigmail features a powerful system of Per-Recipient Rules (or PRR for short) that, for any recipient, allows you to specify in advance whether to sign, encrypt, or use either the PGP/MIME format or the Inline PGP standard. Per-recipient rules also allow you to specify which key to use for an intended recipient of an encrypted message. By default, Enigmail first searches the per-recipient rules and looks up for a rule matching the recipient; if no rule is specified (as it is the case after a fresh install of Enigmail), Enigmail selects the key with a user ID matching the recipient.
Per-Recipient Rules Editor
To edit per-recipient rules, select Enigmail → Edit Per-Recipient Rules. The picture below shows the Per-Recipient Rules Editor window:
Let's take again the example where we manually encrypted a message to email@example.com. This address is an alias for firstname.lastname@example.org. We have a key for the real address but not for the alias. Thus, Enigmail cannot encrypt automatically.
This can be conveniently solved by Per-Recipient Rules. For this purpose, we need to create a rule "When sending a message to email@example.com always encrypt it with the public key for firstname.lastname@example.org".
The Add button adds a new rule, and Modify modifies an existing rule.
Let's click on Add. Enigmail opens the Recipient Settings window where we can enter all parameters for this new rule:
First, we add the mail address which shall be processed; in this case we enter email@example.com. Then we choose Apply rule if recipient is exactly one of the above addresses from the drop-down menu. Then we select Use the following OpenPGP keys and we click on the button Select Key(s); the key selection window will appear. From there we select the public key for firstname.lastname@example.org.
Then we select Always for Encryption, Signing, and PGP/MIME. From now on, messages that we send to email@example.com will automatically be encrypted and signed using PGP/MIME. You might also choose to specify different options for Encryption, Signing, and PGP/MIME.
Click OK, and we see our first rule in the list:
If you create more than one rule, they are processed in order, from top to bottom. You can change the rules order by using the buttons Move Up and Move Down, while Delete will delete a rule.
Perhaps the most useful use of PRRs is to encrypt messages sent to a mailing list. In this case, specify the mailing list's email address as the recipient, and select the public keys (which we assume you have in your keyring) of all the members of the mailing list.
PRRs make possible not only to set encryption for specific addresses but also to exclude some addresses from encryption or signing. Just select Never in the encryption or signing fields for the rule.
In the Set Enigmail Rules for field you must enter the recipient email address you're writing the rule for. Recipients are the addresses specified in the fields To:, Cc:, and Bcc: of the email message, without distinction. If you want to have a rule for multiple email addresses, enter them all in the field, separated by spaces. Then choose the pattern matching criteria from the drop-down menu (Is exactly, Contains, Starts with, Ends with).
In the Action zone you specify the rule behaviour. If there is a match with the specified recipient email address(es):
- Continue with next rule for the matching address allows you to define a rule without having to specify a Key ID in the Use the following OpenPGP keys field. This way, the email address is used to check for a key when sending the message. Further rules for the same address will be processed.
- Do not check further rules for the matching address will stop the processing of any other rule for the matching address if this rule is matched. Rule processing will restart with the next recipient.
- Use the following OpenPGP keys allows you to specify which recipient keys will be used for encryption. Use the Select Key(s)... button to choose the keys. This is the most used and recommended method. Further rules will be processed.
In the Defaults for... zone you decide whether to activate signing, encryption, and PGP/MIME if the rule is matched. Each function can be independently set to three options:
- Never specifies that the function will be disabled;
- Yes, if selected in Message Composition allows you to set the option at the time of message composition;
- Always specifies that the function will be enabled.
When sending a message to multiple recipients, in case of conflicts between rules, Never overrules Always. For instance, if you create two rules for the following two recipients:
PGP/MIME: Yes, if selected in Message Composition
and you try to send a signed and encrypted message to firstname.lastname@example.org and email@example.com, the message will be signed only. Also, should you have turned on PGP/MIME when composing the message, this setting would have been ignored and the message won't be encrypted with PGP/MIME.
You can jump directly to the Recipient Settings, and create a rule for a particular email address, by right-clicking on that address from the Message window or the Address Book and selecting Create Enigmail-Rule from Address... from the pop-up menu.
The rules are processed sequentially in the order displayed in the rules editor. If a rule contains an OpenPGP key, the rule is applied, but the address that triggered the match will not be rechecked in any following rules.
In order to minimize the number of rules you have to create, you should set carefully your OpenPGP global and account settings.
How Enigmail chooses the recipient keys for an encrypted message is controlled by the settings in Enigmail → Preferences → Sending and Enigmail → Preferences → Key Selection. By default, Enigmail first checks per-recipient rules, then the User IDs in your public keyring.
You can enable the option Enigmail → Preferences → Sending → Confirm before Sending: Always in order to check the status for signing, encryption, and PGP/MIME before a message is sent.
Per-recipient rules are stored in a file called pgprules.xml located in your profile directory. If you backup/restore your profile manually, you should make sure to include this file. The format of this file is documented here.