Allow pinning certificates in Thunderbird
While browsing the web, you might be presented with many different certificates every day but in the case of email, you basically always use the same certificates: the onces from your email provider. So trusting all CAs by default and allowing so many possible man-in-the-middle attacks is not really needed for usability.
We should have some mechanism to allow pinning certificates in Icedove instead of relying on the default certificate authorities.
This relates to https://trac.torproject.org/projects/tor/ticket/13607 which is unlikely to happen any time soon in TorBirdy.
Other people mentioned Certificate Patrol (https://addons.mozilla.org/en-US/firefox/addon/certificate-patrol/) or Cert Viewer Plus (https://addons.mozilla.org/en-US/firefox/addon/cert-viewer-plus/?src=search)
The first thing would be to test these.