By Saroj Kandasamy |


Certificate Renewal Method:

  • Remove the old certificate from Thunderbird:

      Go to Preferences -> Privacy and Security -> Manage Certificates-> Servers Tab -> Delete the old certificate

  • Reconnect Thunderbird to the email server, this should prompt for accepting the certificate again
  • Location -> ssh-tunnel created, for example localhost:1993
  • Click on 'Get Certificate' and permanently store the certificate exception


With this method, these steps have to be repeated every year as the certificates are renewed yearly. The exception is needed as the Thunderbird client config is connecting to the localhost on the ssh-tunnel port, but the server presents a certificate with the hostname valid for *, so the server hostname does not match and requires a security certificate exception.


SSH SOCKS Proxy Tunnel Method:

Another method to connect to the email servers is by using the SSH SOCKS proxy tunnel method using the DynamicForward config or command line flag. In the SSH client config

Use the "DynamicForward 1080" parameter


Use on the SSH command line, "-D 1080" argument

Then under the General Preferences for Thunderbird -> Network section -> Edit connection settings -> Configure Thunderbird to use the SOCKS proxy tunnel

- Configure Proxies to Access the Internet - Manual proxy configuration

- SOCKS Host: localhost

- Port: 1080

- Enable "Proxy DNS when using SOCKS v5"

Then go back to the account server settings and set it to the real server settings (actual hostname and port):




The advantage of using this SOCKS proxy tunnel connection is that the the Thunderbird client is connecting to the real mail server hostname and no certificate exception is needed and the annual renewals will be transparent.