The messages are stored only on my local machine. After receiving them, I make sure that all copies are removed from the server.
Unless GPG/PGP or SSL/TLS is used between email servers. E.g. an email from Outlook being sent to Gmail. Then this would be a huge risk point. However, without E2EE (end-to-end encryption) server A and server B, can still read the emails, as SSL/TLS will only provide endpoint security between the two servers, and not at rest.
The (corporate) e-mail system I use is encrypted and "safe"
This would be fine, except the wording 'corporate'. As I cannot see how E2EE is handled, therefore, I cannot place any trust in ciphers. This has another problem though, does corporate email (server A) encrypt the email so only you can access the email? This means once the email is encrypted, server A and server B (where the email will be received from server A) cannot read the plaintext email contents. The only one capable of decrypting the ciphertext is you, and not any server.
This would be an implementation of PGP.
To gain access to the passwords, a hacker would need to be granted access to my machine which is less likely as it is on a corporate network.
Given no plaintext, or decryptable copies (within a reasonable timeframe) are kept on any servers, this sounds good. However, you must now ensure the emails stored locally can only be accessed by you, and if your machine is compromised, how will you play interference? Encrypting your local email contents could be a viable option here. Mozilla Thunderbird offers 'profile encryption'. However, this only allows Encrypting File System (EFS), which provides it's the only limitation. EFS will need to be your choice. Personally, I would opt for either an encrypted virtual machine (full-disk encryption) or, another user where I would encrypt the user's home directory.
I can foresee another problem though because Thunderbird does not know the message body contains a sensitive password, it may store contents within the cache, swap memory or make temporary files stored within secondary storage (e.g. HDD) - Note this point is mereconjecture and should be acknowledged for all programs.
If a hacker did happen to gain access, he would not likely think to look in archived e-mail messages stored on the local machine
While this could be unlike, I would not want to risk my security on 'hope', especially the idea of 'I hope they will not think of this'.
Is there any way to quantify this risk?
I can break this down into several other points:
- Is full-disk encryption used?
- or is user directory encryption used?
- How easily can the email profile contents be accessed locally?
- is profile encryption used?
- How protected are you against spyware?
- What safeguards do you have against physical access, e.g. Evil Maid Attack?
These are only a few points, more can be added, but these would be major attack vectors to consider. If you are considering an alternative, but want an open source solution, consider KeePassX. If used correctly, it can also be used as a cloud-based password manager.
For further reading, Is sending password to user email secure?