Access hidden services email server icedove through Qubes/Whonix


I can reach an email account that I can only reach via hidden services (nnnnnnnnnnn.onion) via tor browser on anon-whonix AppVM and read/write email. I then added icedove to my MailVM. I created a few regular email accounts (abc123@testing.com) and they work as expected. Added icedove to Anon-whonix VM and did the same. Works. But when I add a hidden services email server on the icedove in Anon-Whonix VM, I get connected, and no folders are created except inbox. No emails are downloaded either. No errors indicated.
WHONIX docs in the section on Hidden services talks about server webserver setup. All I want to do is use icedove as a client to reach the server.
TorBirdy is enabled and shows (Whonix) There is also a (Use Tor Router) option. Same result.

What am I doing wrong? I am new to this from Thunderbird on Windows 10. Latest TAILS. icedove works by the way for accessing .onion email servers with icedove from TAILS. But I will like to use Qubes/Whonix from now on if possible.

Thanks for listening.


Did you install yourself or are you using pre-installed icedove+enigmail+torbirdy?

Are you watching the Activity Manager? (launch using Icedove Menu)

From what you said:

  1. Tor Browser in anon-whonix works. You have Tor connectivity.
  2. Non-onion email accounts work in Icedove on anon-whonix. Icedove + TorBirdy works.
  3. Onion email accounts work in Icedove on Tails. Accounts work.
  4. Same onion accounts do not work on anon-whonix.

Icedove should work out-of-the-box on anon-whonix. I would focus on email account specific settings. Compare Menu > Account Settings > Server Settings between working onion account on Tails vs Whonix. Some servers do not enable TLS over onions since it’s encrypted already.


You got my description right. Thanks
I did not install icedove or Tor, whonix or torbirdy myself.
I diligently wrote down the settings of same onion accounts frrom TAILS icedove & duplicated in Whonix anon-whonixVM icedove. Did not work.

I also created a Debian-8 based AppVM. Put icedove in there and added torbirdy extension. I had had success a few years ago with Thunderbird/Windows doing so. But did not work in Qubes either. I think something is messing with ports socks and proxies. But those are beyond me. I just try to use what is available.



I should have asked if you can browse onion sites using Tor Browser. If not, then perhaps your issue is somehow related to Anon-whonix qube proxy error... Tor disabled.

In any case, if you don’t mind, let’s take a step back and run whonixcheck in both sys-whonix and anon-whonix. If either of those require updates, then please update the respective templates.

Just so I don’t get fooled again.


This might be creating different problems. Did you add torbirdy via the Icedove Add-ons menu? I’m not sure if that installs dependencies or not…

Use debian repositories whenever possible:
sudo apt-get install xul-ext-torbirdy


That was another attempt to see if I could get icedove to work in a Qubes configuration outside WHONIX. I did it today after your first reply. Yes I had added it via add-ons menu. So now to follow your advice, I removed the extension and did:
sudo apt-get install xul-ext-torbirdy.

Lo and behold; it went through. My folders were setup and emails downloaded.
Thanks entr0py.
But this is in the new debian-8 based appVM I created. I am looking for the added protection possible through WHONIX. I hope??
However, Why won’t it work in anon-whonix VM?
I appreciate your help.


Yes I can browse onion sites using Tor browser from anon-whonix all day long. Can also access my email accounts on those sites read/write from anon-whonix TorBrowser.

Whonixcheck in both sys-whonix and anon-whonix ran fine without any issues. Both are reported up to date.
Problem is icedove from inside anon-whonixVM

Thanks for listening



I created a NEW appVM based on Whonix-WS template. Added icedove to it. Nothing else. I then manually setup the hidden services email server (IMAP-incomiing port:143) (outgoing; same .onion server but port 25) They are all same settings as I use successfully in TAILS.
SUCCESS this time.

Still fails in the icedove setup in Anon-whonixVM
Am puzzled but relieved.


Thanks for the update! I’ll try to reproduce the error.


Before I proceed, your server settings - IMAP port 143 - makes me wonder…

Please go to Menu > Preferences > Account Settings > Server Settings for your onion email account

Under Security Settings what does it say for Connection security? If the working configuration says None or STARTTLS, then we have the answer and an easy fix.



The onion email provider requests that IMAP port be set to 143 and SMTP port be set to 25.
The working configuration says STARTTLS
I have now set icedove in all the VMs to reflect that and they all work.

Thanks a lot for your help.


Good to hear.

I’ll revise my earlier post for others that have related issue. I incorrectly thought that TorBirdy could be reconfigured to allow non-SSL/TLS-encrypted connections. Such an option could be useful when connecting to onion servers which always create end-to-end encrypted connections regardless. (end-to-end meaning icedove to onion server, not necessarily mail server).

But looking at the option again:

It specifically mentions “secure renegotiation”, which is most likely referring to “Transport Layer Security (TLS) Renegotiation Indication Extension[1]”. And not SSL/TLS in general. It would probably be considered too dangerous to include an option that would send mail in-the-clear to non-onion servers. I’ve never come across an email provider that didn’t offer TLS, so unable to test. Perhaps Hillary offered a non-TLS onion on her server? :wink:

[1] https://tools.ietf.org/html/rfc5746


Please consider adding a hint about this here: