A Simple CGI Email Handler

What's New in Version 3.01?

A flaw which could be exploited to send spam has been fixed. The subject line and user's email address were not checked for newlines. This could be abused to insert additional headers into the message, such as Cc: and Bcc: headers addressing additional recipients. This has been fixed in 3.01. Thanks to Pedro Pessoa.

What's New in Version 3.0?

Rewritten in Perl. The new email.cgi Perl script is 100% backwards compatible with the old email.c program; existing forms and email.conf files will not need modification to work with it.

If you are using the old C version we recommend that you upgrade, especially if you are using version 2.0 or earlier (from many, many years ago) which contained potential security flaws.


You need a Unix-based web server or web hosting account that permits CGI programs written in Perl 5. All modern web hosts allow Perl CGI programming. If you are using a Windows-based web server, you should consider an ASP solution instead. Most free web hosting services, however, will not allow you to use this script; they may offer alternatives of their own.

Obtaining email.cgi

email.cgi in a ZIP file (email.zip)

email.cgi in a gzipped tarfile (email.tar.gz)

Configuring email.cgi

Just after the copyright notice in email.cgi, there are two very important definitions you just configure. The first defines the location of the sendmail utility on your system. The default setting works for many systems; however if email.cgi does not send email for you and displays no error message, it is highly likely that sendmail is located in a different place on your system, perhaps /sbin/sendmail or /usr/bin/sendmail. If you are not using a Unix-based server, you do not have sendmail and probably cannot use this script.

The second setting defines the location of your email configuration file, which you will want to set to the following:

my $emailConfPath = "/home/www/conf/email.conf";
Where you must replace "/home/www/conf" with the directory where you have decided to keep your email configuration file. Your email configuration file contains a list of allowed email recipients and the pages to which users should be redirected after email is sent to those recipients, on alternating lines. You can create this file with a text editor such as notepad or pico.

The second (new in version 2.1) defines the location of the email binary:

my $emailBinary = "/usr/sbin/sendmail";
If this is not the location of your email binary, change this #define appropriately. (Typing 'which mail' at your shell prompt may help you discover the correct location for your system.)

Installing email.cgi

Move email.cgi to your cgi-bin folder. If you do not have one, check your web host's documentation to determine where your CGI scripts are supposed to go. You may be able to simply place email.cgi in your main html folder, depending on your web host's configuration choices.

Set the permissions on email.cgi to mark it executable:

chmod u+x email.cgi

(Various FTP programs also provide a way to access the chmod command.)

Writing your email configuration file

Here is a sample email.conf file:
As you can see, this file contains email addresses alternating with the URLs of web pages. For each user permitted to receive email through the script, state the user's email address and the URL of the web page that visitors should "land" on after sending email to that user.

Save this file under the filename you specified for $emailConfPath.

Creating an email form

The last step is to create an actual email form for each user. You may use the following form as a template, simply modifying my name and the URL of the email script (if necessary). Be sure to change VALUE="CHANGEME" to the correct email address for the recipient. Note that you may also replace the hidden "recipient" field with a visible "select" dropdown box to allow the user to pick one of the allowable recipients.

<title>Email to Thomas Boutell</title>
<h2 align="center">Email to Thomas Boutell</h2>
<form method="POST" action="email.cgi">
<!-- This hidden form field contains the
        email address of the recipient, but we don't
        just blindly trust it. email.cgi
        checks email.conf. -->
<input type="hidden"
        name="recipient" value="boutell">
<table align="center"
        border="0" cellpadding="5" cellspacing="5">
<tr><td>Your Name</td>
<td><input name="name"/></td></tr>
<tr><td>Your Email Address</td>
<td><input name="email"/></td></tr>
<td><input name="subject"/></textarea></td></tr>
<tr><td colspan="2">Text:</td></tr>
<tr><td colspan="2">
<textarea name="content" rows="10" cols="40"></textarea>
<tr><td colspan="2" align="center">
<input type="submit" value="Send Email"></td></tr>
<tr><td colspan="2" align="center">
<a href="/email/">Cancel</a></td></tr>

That should do it!

This should be enough information to allow you to set up your own email-handling forms. Enjoy.