Legacy: Setting up MSA Formmail Script (Perl)

We do not recommend using MSA Formmail which is outdated and insecure, use Tectite's FormMail (Free, PHP) instead.

These instructions are here for legacy purpose.MSA Formmail versions from 1.92 and above.)

  1. Download the source script from Matt's Script Archive on your computer.
  2. Using a text editor (Notepad, TextEdit), setup the script with the correct parameters for your web site
  3. Using a text editor (Notepad, TextEdit), setup your html form to use Formmail
  4. Using FTP, upload formmail.pl into your cgi-bin directory (/cgi-bin) and give it permissions 755
  5. Using FTP, upload your html form page onto your web site (/docs or /httpdocs)
  6. Check the results.

1-Setup Instructions for the formmail script:

You may have to modify these lines of code:

$mailprog = '/usr/lib/sendmail';

Change the location of sendmail to:

$mailprog = '/usr/sbin/sendmail';

@referers = ('scriptarchive.com');

Replace scriptarchive.com with your domain name (no www).
This array allows you to define the domains that you will allow
forms to reside on and use your FormMail script. If a user tries to
put a form on another server, that is not worldwidemart.com, they
will receive an error message when someone tries to fill out their form.
By placing worldwidemart.com in the @referers array, this also allows www.worldwidemart.com, ftp.worldwidemart.com, any other http address with worldwidemart.com in it to access this script as well, so no users will be turned away.

This array allows the administrator to specify a list of environment variables that the user may request be added into the e-mail. This is a security patch that was advised at http://www.securityfocus.com/bid/1187 and was implemented by Peter D. Thompson Yezek at http://www.securityfocus.com/archive/1/62033 Only environment variables listed in this array may be included in the form field env_report. So if you wanted to also know what URL a user was submitting from, you could change @valid_ENV to:
and then include HTTP_REFERER in your env_report form field.

@recipients = &fill_recipients(@referers);

We recommand that you change these default settings and set up your version of formmail to send email only to specific addresses, as described below:

The most secure way to operate FormMail is to explicitly specify only those e-mail addresses allowed.
@recipients = ('^mattw@worldwidemart.com','^joe@worldwidemart.com');

Note: When specifying a complete e-mail address you should place a ^ at the beginning. FormMail automatically requires that the recipient form field match the end of one of @recipients, but by adding a ^, you are also telling the perl regular expression parser that it must match the recipient form field exactly (^ signifies the beginning of the field).

@recipients = &fill_recipients(@referers);
If you wish to only allow e-mail addresses at the domain names in @referers to receive form results, you probably do not need to change this variable. However, if you get any 'Error: Bad/No Recipient' messages when running FormMail, you may have to revisit @recipients and make sure you have correctly listed all domains or configured this variable.
@recipients is the most important variable you need to configure. It is an array of regular expressions defining all valid recipients that can be specified. In order for an e-mail to be sent to the recipient defined in a form, the recipient e-mail address must match one of the elements in the @recipients array.


For the most simple setup, place any domain name that you wish to send form results to in the @referers array. Warning: This allows those domains to also access your FormMail script and utilize it to process their own forms, but likely this is what you intended anyway. If so, you can leave:

@recipients = &fill_recipients(@referers);

2- Setup Instructions for your html page:

1- In your form, set the action to:

<form action="http://www.your_domain.com/cgi-bin/formmail.pl" method=post>

2- Add the following hidden fields:

Required fields:
<input type=hidden name="recipient" value="support@emergence.com">

Optional fields:
<input type=hidden name="subject" value="Your Subject">
<input type=text name="email">
<input type=hidden name="redirect" value="http://your.host.com/to/file.html">
<input type=hidden name="requested" value="email,name">

The whole list of options is available at: MSA
Properties ID: 000207   Views: 7480   Updated: 7 years ago
Filed under: