People should not install package outside repositoires.
Apt check each packages against their digital signature and if the signature
don't match the official one, warn you and ask you what to do (install anyway
or discard).
Usually when you have this error just run apt-get update and you're ok.
If you download thunderbird from ubuntu's website the connection is not
encrypted (is http) so is easy to compromise your security by a
man-in-the-middle attach made by NSA spying program or compromised network
device (at your home/office/isp/backbone)
If you download icedove from debian's website you are using https that is ok,
but you don't check the digital signature and this is bad because this is an
additional security system that allow you to not trust the mirror's that you
have used.
For example see here
https://wiki.ubuntu.com/BasicSecurity
4. stick to the official repo's as much as possible, and only deviate from
them when strictly necessary and with much caution;
A good paper is: https://wiki.debian.org/SecureApt
Probably a solution can be "How to manually check for package's integrity"
but probably you have to import some external keys.
IMHO best solution is to install claws-mail.
