On 08/01/2018 09:43 AM, Bernie Cosell wrote:

And I tried my program on the Bluehost version and I was greeted with

Not Acceptable!</title></head><body><h1>Not Acceptable!</h1><p>An appropriate representation of the requested resource could not be found on this server. This error was generated by Mod_Security.<

mod_security is an Apache webserver module that has a complex ruleset used to examine every request and response. It attempts to detect and prevent malicious activity. Doc on https://www.modsecurity.org.

It is not uncommon for form submissions to run afoul of mod_security rules. Typically, there are cases where data is encoded in ways that appear to be hiding something - e.g. %-encoding urls or POST data where it's not necessary, excessively long URLs or large POSTs - and so on. There's a pretty large list. Most are regex s applied at various stages of request processing; some are based on things like request size. Some are rules that assume a pretty dumb web service; where you know that Mailman can cope with constructs/sizes/encodings, you're expected to disable those rules on the URLs that it serves.

There will be logs on the server that specify exactly what rule was tripped, it's id, and the suspect input.

Then there are three courses of action possible: o The rule can be disabled by ID in the webserver config, for the specific mailman POST URL (or globally, but that's not smart). It's also possible to completely disable mod_security for a URL or vhost - but that's also not advisable. o Mailman can be changed to not require input that trips the rule. o Your client can be changed not to generate input that trips the rule.

You will need help from someone with admin privs to at least share the logs, if not make adjustments to the mod_security configuration. Like any protective filter, it takes some thought and analysis to make the right changes. That is the change that allows what you want, but doesn't open an unintended attack surface.

In my experience, these issues are never caused by just one rule - if an application trips one, waiving or fixing it will only get you to the next one. It can take a while to get to a workable ruleset. It is generally worth the trouble, as mod_security is effective at protecting against quite a few exploits. It does take a while to learn how it works and how to teach it how to stay out of your way.

There are two things likely to be changed on the server end: The webserver config file that will include directives to disable specific rules on particular URLs. And possibly a set of customized rule overrides for Mailman. (These can go in separate files that are dropped in the rules directory.)

Once that's done, sharing the result with the MM community would save others a lot of repeat effort.

Good hunting.