htaccess can turn it off for a domain. add
<IfModule mod_security.c>
# Turn off mod_security filtering.
SecFilterEngine Off
# The below probably isn't needed.
SecFilterScanPOST Off
</IfModule>
to their htaccess file, although it would be better to fix the rules if they are breaking webmail rather than leaving a domain un protected.
You can add eclusions to mode sec, check the logs and see what is causing the problem and either remove the rule or add an exlusion for the script that is having problems.
eg
###########################################
#script exclusions
###########################################
<LocationMatch "myscript.php">
SecFilterInheritance Off
</LocationMatch>