MT6000 (4.5.7) VPN Policy Based in the Target Domain or IP

MT6000 using V4.5.7. I have an application that needs to use an email relay on port 587. My VPN provider (Surfshark) blocks this port as part of their spam prevention policy. My ISP allows the port to connect. When the VPN is shut off, test emails go through.

I added an an exception for the SMTP server (mail.gmx.com) to exclude it from the VPN. Test mails fail unless I shut off the VPN.

Apparently the exclusion list isn’t working. Is this a bug or am I doing something wrong?

I would guess that the domain for your smtp server isn’t correct. Maybe there are more than 1 IP.

Try to exclude gmx.de

Thanks for the response. Changing the server to mail.gmx.de and adding it to the exceptions results in the same issue. In both cases the name of the server is correct.

When I shut the VPN off, the email test goes through. When I turn it on, the email test fails.

Do you use the router as your DNS server on the client? This is necessary for VPN policy to work.

No other DNS server than the router is allowed.

Generally imcoming server should be imap.xxxdomain.com

Check out Setting Up Windows Mail - GMX Support

So pls add imap.gmx.com

TCP/587 is SMTPS - so only sending.

But GMX is a pretty bad provider, so they might even require POP3 before SMTP or any other weird things.

Try running tcpdump before you initiate this connection and check what dns and ips youre connecting too. Then try excluding those.

And as @admon said make sure youre using router as a dns server and if youre using adguardhome then disable the handle client request option.

ahhydri: I disabled the ‘AdGuard Home Handle Client Requests’ option and it worked! Thanks for the suggestion.

That option is pretty handy for finding blocked web addresses when I am having issues. Is there any way I can disable this option only for this device?

Yes, you can but vpn polices will not work for this device only.

To enable this option only for a specific device, u need to forward all the dns request from this device to adguadhome ip and port.

Or just enable the Override DNS Settings for All Clients switch within the DNS settings of your router. See DNS - GL.iNet Router Docs 4

In that case, you will still see AdGuard Home protocols (well, just with localhost, but it’s better than nothing) + VPN policy will work.

Thanks for the response. This is a virtual machine running on a NAS. I’ll try isolating the DNS settings for it.

Thanks. My question was to bypass those settings only for the device that is causing a problem, not all of them.