phplist, phpmailer, mod_security and SMTP

While trying to install a copy of the phplist application I ran into a small problem.

[Thu Sep 20 11:43:39 2007] [error] [client 76.45.195.42] mod_security: Warning. Pattern match "([0-9a-zA-Z]+[-._+&])*[0-9a-zA-Z]+@([-0-9a-zA-Z]+[.])+[a-zA-Z]{2,6}" at POST_PAYLOAD [hostname "www.mysite.com"] [uri "/lists/admin/?page=send&id=10"]

The hosting company that I am using has mod_security installed for Apache. They have a rule something like:

SecFilterSelective ARGS_VALUES "\n[[:space:]]*(to|bcc|cc)[[:space:]]*:.*@"

set in the apache configuration file. This rule will check all POSTS to the Apache server and search for anything that looks like an email address. If mod_security finds a string that looks like email address the script execution is halted.

phplist uses the phpmailer library to process it's outgoing queue. phpmailer creates a POST with an email address string in the payload of the POST. The address string is found by mod_security and phplist sends no email.

Here are the settings that I changed in phplist. They are all located in the /public_html/lists/config/congif.php file:

# If you want to use the PHPMailer class from phpmailer.sourceforge.net, set the following
# to 1. If you tend to send out html emails, it is recommended to do so.
define("PHPMAILER",1);

# To use a SMTP please give your server hostname here, leave it blank to use the standard
# PHP mail() command.
define("PHPMAILERHOST",'localhost');

# if you want to use smtp authentication when sending the email uncomment the following
# two lines and set the username and password to be the correct ones
$phpmailer_smtpuser = 'phplistsmtpuser@mysited.com';
$phpmailer_smtppassword = 'password';

Changing the PHPMAILERHOST setting in phplist to 'localhost' prevents phpmailer program from using the php mail() function. No POST is generated and everything works.

I hope this helps someone, someday :).

Reference: