Closed Bug 1681168 Opened 2 years ago Closed 2 years ago

Since TB 78.x subject in drafts is always encrypted when having integrated Enigmail GnuPG and therefore some Apps do not work (e.g. send later)


(Thunderbird :: Security, enhancement)



(thunderbird_esr78+ affected, thunderbird90 fixed)

91 Branch
Tracking Status
thunderbird_esr78 + affected
thunderbird90 --- fixed


(Reporter: conrad.lienhardt, Assigned: KaiE, NeedInfo)




(1 file, 1 obsolete file)

User Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0

Steps to reproduce:

1_I used "Send Later" to save a Mail with the intention to automatically send it later

2_Saved th
When saving a Mail as draft the system automatically encrypts subject and obviously date-time-stamp if using send later app. This way send later can not decrypt the date-time-stamp and

Actual results:

2_The "Send Later" column in Drafts Folder show: Error encyrpted
3_This Error remains although decrypting the Mail by clicking at the subject line
4_This way "Send later" does not work.

Expected results:

Before TB 78.x and therefore before integration of enigmail there was a way to deactivate encrypting drafts. So "Send later" worked perfect.
TB 78.x integrates OpenPG and since then there is no way to deactivate encrypting drafts.
Consequence: All apps related to drafts-folder and drafts fail.
It would be great to have the feature back, to activate or deactivate encryption of drafts

The same here, but my 'Send Later' column in the Drafts folder says: 'Send Later / Enigmail compatibility issue'.
And the subject field only shows: '...' , instead of the subject that I wrote.
Please solve !

To chime in and explain mostly to the Thunderbird devs what is going on:

The Send Later extension places messages in the user's Drafts folder for temporary storage until some specified time, at which point the message is to be moved into the Outbox and sent.

The Enigmail extension had an option for "Encrypt draft messages", which appears to be the default behavior now that PGP is bundled with Thunderbird, and no user-facing option seems to exist to disable it. Unfortunately, that means that the messages are then encrypted with the users own public key, and if they were then moved to the Outbox and sent, the recipient would receive a message that they would not be able to decrypt. In order to avoid that possibility, Send Later simply ignores encrypted messages, and displays a warning message (which used to be "Error: encrypted" and has since changed to the "Enigmail compatibility issue" message, thus the discrepancy between the two reports above).

There is an open discussion about this on Send Later's Github repository, here:

If any of the Thunderbird devs has suggestions about how to approach this issue they would be appreciated. In particular, some users have noted that the PGP keys must be stored in memory, at least during an individual Thunderbird session, since Thunderbird apparently decrypts messages fairly transparently from the user's perspective. If there is some reliable way to access the decrypted contents of messages in the Drafts folder, then maybe this could be handled on Send Later's side.

However, to my knowledge there is no way to work around this unless users are allowed to disable encrypting draft messages. If nothing else, it would be great to disable that feature when the user has configured their drafts to be saved in "Local Folders/Drafts", since there's not really a good reason to encrypt messages in that folder anyway.

I'm taking a sort of hands-off approach to this issue since I don't use PGP, but I know that this is a high priority for some Send Later users. I just wanted to chime in and give some context for what these bug reports are talking about, since they sound a bit cryptic to anyone who hasn't already been involved with that discussion.

"high priority for some Send Later users" is a bit of an understatement, this issue makes the 'Send Later' add-on unusable.

I don't understand why the ability to configure whether drafts are encrypted was removed in TB78. The obvious fix is to put it back.

Of course, if there were some internal flag that would prevent saving drafts, Send Later could prompt the user and optionally disable it on their behalf. But weirdly, there is no such variable. When encryption is enabled, drafts are saved using this function:
Which explicitly mentions in a comment that it will "always save drafts encrypted, as a precaution." And indeed, it checks whether it can encrypt the message to itself, and then does it without any further considerations. The only way to prevent encrypting drafts would also block other important functionality, like retaining self-encrypted copies of sent messages.

Additionally, it isn't clear to me how Send Later would then actually encrypt the outgoing message when the send time comes. It doesn't look like any pre-processing is applied to outbox messages before they are sent, and I can't find any hooks for manually encrypting raw mime messages from outside of a message compose window.

There's also the problem of ensuring that the message actually can be encrypted to all of the recipients. Of course, in many cases users will be sending unencrypted messages anyway because they only ever convinced one reluctant friend to install PGP. So Send Later can't assume that all messages need to be encrypted, but if it's too lax and something unexpected happens to one of the recipient keys, then it risks inadvertently sending an unencrypted message. Ostensibly, this sort of check/decision should happen when the message was first composed, but I don't know how to reliably propagate that information along.

As an editorial aside, this all perfectly highlights why un-federated message protocols like email do not play well with optional end-to-end encryption. Practically every use case is an edge case.

@Jonathan Kamens, How did this work before? I know there were hooks for Enigmail in version 7.x, but I haven't looked into how they worked.

Patrick and I collaborated to make Enigmail and Send Later place nicely with each other so that the Enigmail send hook would get called before Send Later saved a scheduled message in the Drafts folder, such that the message saved in the Drafts folder by Send Later was encrypted exactly as Enigmail would normally encrypt it before sending, so it was totally ready for Send Later to subsequently copy the message from the Drafts folder into the Outbox at the scheduled send time.

The only drawback to this approach was that the encryption time embedded in the encrypted message was the time the message was scheduled to be sent, not the time it was actually delivered it.

I don't know if the hooks that made this possible within Enigmail were preserved when it was integrated into Thunderbird itself.

Same problem here on Ubuntu 20.10 / 78.5.0 (64-bit).

Both SendLater and PGP/GPG are heavily used in my daily workflow, so it is quite unfortunate that they don't like each other anymore :( Would appreciate very much if this could be solved.


This is a real issue and I'm affected by it severely (and in fact, had to get back to v68), and the trade-off from disabling the draft encryption is quite acceptable to fix it easily. Then, yeah, if Send Later and thunderbird could play along, that'd be even better…



What can we do to help having this work properly? Work towards TB to have an option not to encrypt mails?

Any way to save drafts without encrypting them first would be great. It could be either a setting configured per-account or per-identity, or it could be implemented on a per-message basis as part of 1631580 or 1593012. Any implementation is fine, but somehow there needs to be a way to bypass line 1553 in enigmailMsgComposeOverlay.js. Currently, the saveDraftMessage function unilaterally decides that all drafts should be encrypted whenever it's possible to do so.

The second component for my use-case would be some way for extensions to interact with the PGP system to encrypt messages for their recipients. I think the most efficient way to accomplish that would piggyback on 1545930, adding a way to handle encryption at send time.

I'll have to delay working on that for a few weeks at least, but I'm willing to sponsor work on it… My workaround in the meantime on TB78 is to disable openpgp on the profile/account required to send later, encrypting manually what has to be. This is obviously not a great solution, as I can't send later + sign, which is not that unusual in my work flow… :'(

Tested by patching the files in Thunderbird 78.8.1 omni.ja file manually.

Thx for your efforts. Could you please specify step by step how to install the patch? (TB for Mac OS)

Flags: needinfo?(pantecretor)
Attachment #9208917 - Flags: review?(kaie)

This is great Kristian, I have the exact same problem on Thunderbird 78.10 on Fedora. Thanks. Can't wait for this patch to be effective in the builds.

See Also: → 1666073

Thanks for the patch. You are introducing a new preference. However, past Enigmail already had a pref, and it was per configured email account/identity. I think we should reuse the old preference.

Assignee: nobody → kaie
Ever confirmed: true
Attachment #9208917 - Attachment is obsolete: true
Attachment #9208917 - Flags: review?(kaie)

This initial Thunderbird commit (Enigmail import) shows the pref that was used in the past:

Target Milestone: --- → 91 Branch

Pushed by
Restore enigmail pref autoEncryptDrafts. r=mkmelin

Closed: 2 years ago
Resolution: --- → FIXED

Comment on attachment 9225607 [details]
Bug 1681168 - Restore enigmail pref autoEncryptDrafts. r=mkmelin

[Approval Request Comment]
Regression caused by (bug #): no
User impact if declined:
Testing completed (on c-c, etc.):
Risk to taking this patch (and alternatives if risky): low

Attachment #9225607 - Flags: approval-comm-beta?

Comment on attachment 9225607 [details]
Bug 1681168 - Restore enigmail pref autoEncryptDrafts. r=mkmelin

[Triage Comment]
Approved for beta

Attachment #9225607 - Flags: approval-comm-beta? → approval-comm-beta+
You need to log in before you can comment on or make changes to this bug.