You should create the terminal as an elevated one by right clicking the start button and choose either Command prompt (Admin) or Powershell (Admin) according to the Windows version (recent ones default to Powershell)

Thanks, I had forgotten that. I have added the routes, and it now works, albeit a bit slowly.

You could report that to your VPN support service, maybe they could find a way to configure their software bypassing feature better.

Be aware that these routes assume that the whole ranges (2 x 65535 IP addresses) are belonging to Microsoft. I have not checked if it's true, if not the rules may route other sites outside of the VPN.

The best solution would be to allow connection to MS servers through the VPN, but that's another problem.

But if you are stuck with this solution, and your VPN has a way to be started from the command line, it could be possible to write 2 scripts to start and stop the VPN, creating and destroying the routes automatically.

Thanks very much for your help. This is all completely outside my skill set. There are so many factors involved that it is extremely difficult to work out where the error arises. I hope this experience will be helpful to others.

I spoke a bit too soon. I can write a new message and send it to my Microsoft 365 hosted mailbox, and the connection goes through to the Outlook smtp server, albeit rather slowly. But I can't reply to a message sent to my 365 hosted mailbox, that fails exactly as before. I obviously don't know much about this, but I'm wondering if it's something to do with authentication tokens. Maybe the token attached to the incoming message does not work when I reply?

I should add that if I turn off the VPN a reply to the 365 hosted mailbox goes through without delay.

When you turn off the VPN, the added rule is probably solving it.

With VPN on, problem most probably comes from Microsoft using a different address range in this case - no idea why, but that seems the only logical possibility. The problem is, I do not know the exact ranges used by Microsoft for their SMTP servers. You could probably get them by turning the SMTP debugging back on if you have invalidated it, then running with the VPN off, when it works it should show you the IP address used (I hope).

Short of that, interrogating it just now, I see that 40.101 is also included for smtp.office365.com You could try to add 2 new routes instructions with

route add 40.101.0.0 mask 255.255.0.0 192.168.1.254 metric 25 route add 40.100.0.0 mask 255.255.0.0 192.168.1.254 metric 25

Since 40.99 and 40.101 are used, probably 40.100 too.

This said, it's a wack-a-mole system. As the problem is understood, I'd say that your VPN provider should solve it for good.

Of course, there is no problem at all if I use Windows 11 Mail and not Thunderbird. So why is the VPN treating Thunderbird differently?

Well, I have absolutely no idea how Windows 11 Mail connects to Office 365 as I have never used it, but if by any chance it is an Exchange-type software (because behind Office 365 there are a ton of Exchange servers), it is connecting through the https port (443). This port is never blocked by anything since it's used by web browsing, so it can't be touched by VPN, firewalls, etc...Try to look up the mail configuration of this software, if you can find something like smtp.office365.com I'll be proven wrong of course. If on the other hand all that is shown is something like 'office 365' or 'microsoft account', it's not using any standard mail protocol, only Microsoft specific stuff.

Even the advanced settings for Windows Mail do not give options for ports, so I have no idea how it is connecting.

I just got this reply from VPN support:

"SMTP port 587 is blocked by Surfshark due to malicious spamming activities, that were reported by our VPN server providers, which means that the only ports that can be used at the moment are 465 and 2525 - that is mainly the cause of this issue."

I'm quite doubtful about this, as I am able to send a new email via port 587, but I can't reply via that port.

If you have no port settings, chances are pretty high it's connecting through https, like any MS client for Exchange (Outlook for example).

About the port 587, there is quite a few to unfold.

• you sending a new email with this port but unable to reply: sorry, but sending/receiving is done through a mail server, and standard (ie not belonging to 3 letters agencies) mail server don't look at all at this kind of detail, that is if

1) you send an email to Mr Jones 2) you receive an email from Mss Smith 3) you reply to Mss Smith There is NO technical difference between mails 1 and 3. The mail server don't know about that, it's 2 bunches of bytes to make transit. So what you say is not possible. You must be mistaken somewhere and use the VPN sometimes, and not at other times.

• your VPN provider reply: on the surface it's utterly absurd, there is no difference between ports 587 and 465, from a functional point of view they are doing the same thing, and can be abused to send spam in the same manner.

The only difference I can imagine is political, port 465 is not allowed by Microsoft, it's allowed by other mail providers including Google. And a VPN provider can't be afraid of any mail provider including Google, but it can be afraid of Microsoft as they can be blocked out of Windows. So it makes some sort of evil sense because it's blocking VPN users of trying to abuse Microsoft servers.

Because the problem seems to be intermittent, I was probably misled. I tried again today and could not find a difference between a new message and a reply.

Just heard back from Microsoft support, who seem to agree that the Surfshark explanation is absurd. They say:

"That is not a 587 issue. It's because of Basic auth being turned off. I found out yesterday that it's affecting a lot of applications. I was told that there is nothing that we can do. Sorry."

This doesn't explain why the problem is related to the VPN being turned on or off.

I think that the Microsoft support answer is even more absurd still. I connected just yesterday to a outlook.com account with basic auth - an app password to be precise, so basic auth is NOT turned off for good. If I connect to smtp.office365.com, and issue an EHLO, I get (among other replies) a 250-AUTH LOGIN XOAUTH2 "LOGIN" means that plain password is accepted. They don't know what service they are providing.

OTOH, if the Surfshark VPN blocks port 578, there is nothing that can be done to connect to smtp.office365.com, as it does not accept port 465. The answer from the Surfshark VPN support does make sense, however ridiculous it is to block port 587. It's no more ridiculous for your VPN to block port 587 than for Microsoft to not accept port 465, though. You should use another VPN, and another mail provider :-). (even Google is less bad) Unless you try the routes I advised you to add to your system.

We are at the end of this road. MS support just came back and said that I can also use port 25, but that and 587 are the very ones that the VPN blocks. Neither provider will talk to the other and resolve this. As you say, I need a different VPN.

Thanks for all your help - very educational.