IIS and FormMail.pl and Perl Taint Mode and Email Relay

Apparently Perl taint mode and NMS FormMail do not always play together well when running on a Microsoft IIS web server. Why? I don't pretend to understand why.

I only know that when I changed this:

#!/usr/bin/perl -wT

to this:

#!/usr/bin/perl -w

my script started to run. That is to say, when I turned taint mode off under IIS, my FormMail.pl script, which would not run at all, started to run.

I'm not claiming that this is a cure-all for FormMail.pl problems under IIS. Here's what the top of my FormMail.pl script currently looks like:

#!/usr/bin/perl -w
#
# NMS FormMail Version 3.14c1
#

use strict;
use vars qw(
  $DEBUGGING $emulate_matts_code $secure %more_config
  $allow_empty_ref $max_recipients $mailprog @referers
  @allow_mail_to @recipients %recipient_alias
  @valid_ENV $date_fmt $style $send_confirmation_mail
  $confirmation_text $locale $charset $no_content
  $double_spacing $wrap_text $wrap_style $postmaster 
  $address_style
);

print "Content-type: text/html\n\n";
print "<html>\n";
print "<head>\n";
print "<title>Got here 1</title>\n";
print "</head>\n";
print "<body>\n";
print "<h1>Got here 1</h1>\n";
print "<p>Got here 1</p>\n";
print "</body>\n";
print "</html>\n";

__END__

Nothing brilliant here. I've basically done three things with the above code:

1. Turn off taint mode by taking the T off of -wT in the shebang syntax on the first line of code
2. Add a little bit of Got here code that is sent to my browser
3. Exit with a perl __END__ statement

As of now, I've only tried running the top few lines (shown above) with taint mode off. For all I know, the whole program could now work. I'll try running the whole program next.

Update: August 4, 2013, 7:47 PM

I've tried running the whole program. More problems. Seems that I'm getting this error code coming back from the mail server:

554 5.5.2 No valid recipients

Here's a Perl module that can be used to test a mail relay to make sure it is working:

Net::SMTP

Note the following example code from the above link:

  #!/usr/local/bin/perl -w

    use Net::SMTP;

    $smtp = Net::SMTP->new('mailhost');

    $smtp->mail($ENV{USER});
    $smtp->to('postmaster');

    $smtp->data();
    $smtp->datasend("To: postmaster\n");
    $smtp->datasend("\n");
    $smtp->datasend("A simple test message\n");
    $smtp->dataend();

    $smtp->quit;

For me, the above code is a great start. However, I need code that will work on a remote webserver that will send the output to my web browser. The following modifies the above code so that it will work in your browser:

Mail Relay Testing With a Perl Script

In the final example on the above page, the original poster (OP) called ccc solves his own problem. In the first few lines of his solution, he sets up his email headers:

#!/usr/bin/perl -w

use Net::SMTP;

$from = 'me@mydomain.net';
$to = 'me@mydomain.net';
$subject = 'relay test';
$server = 'IP_address_of_the_mail_server';

In his code, he mentions IP_address_of_the_mail_server.. In many cases, this will be 127.0.0.1. Many web hosts use 127.0.0.1 as the address of their mail relay to keep things simple for their customers.

Of course, 127.0.0.1 is local host. When you use this address on your webserver, the webserver is referring to itself. In other words, 127.0.0.1 is self-reference. Perhaps this is an example of your mail server and your web server being on the same physical box, the same physical computer.

For $from and $to you might choose to use any email address that you think will work or would like to get working. In my case, I'm using my Gmail email address.

Unfortunately, my Gmail address is not working. Since I'm getting a very general server error, I suspect it is because the web hosting company I'm working with is refusing to relay email to my Gmail.

I suspect the reason that I cannot relay email to Gmail is because the hosting company does not allow it. Internally, they have an approved list of email addresses that you can relay to and my email address is not on that list.

Refusing to relay email to non-approved email addresses is quite common. It's a preventive measure, really. It's to prevent an email relay from becoming an open spam relay.

So, the only thing for me to do now is to call the hosting company I'm working with and ask them to relay email to my Gmail address. Unfortunately, since they don't give me a control panel to work with, I have to talk to a live person (or email them).

Back to the solution provided by CCC.

After the email headers are set up, an HTTP header is sent:

print "Content-type: text/plain\n\n";

As simple as this one line of code is, it enables your browser to handle what comes next. Basically, the above HTTP header concerning the content type says display what follows in my browser window. That is to say, that's the overall effect.

The next line of code sends all errors generated by your Perl script to your browser:

open STDERR, ">&STDOUT";

The above line of code says STDERR and STDOUT are going to the same place. Since STDOUT is already going to your browser, STDERR is now going to the same place --- your browser.

Perhaps a better way to interpret the above line of code is send STDERR to STDOUT. That's the literal meaning.

The next line of code is called a constructor. It constructs an object that you use to communicate with your mail server. In this case, the object is called $smtp.

$smtp = Net::SMTP->new($server, Debug => 1);

The above line of code does more than just construct an object called $smtp. It also turns on debugging.

Remember STDERR? This where STDERR comes in. In these two lines two things are happening:

1. Debugging has been turned on
2. All debugging is being sent to your browser

When I say all debugging is being sent to your browser, I mean all error messages are being sent to your browser.

Of course, in the above code, these two steps happen in reverse order. Here's the code again:

open STDERR, ">&STDOUT";

$smtp = Net::SMTP->new($server, Debug => 1);

After this, the code manipulates the object called $smtp to good effect:

$smtp->mail($from);
$smtp->to($to);

$smtp->data();
$smtp->datasend("To: $to\n");
$smtp->datasend("Subject: $subject\n");
$smtp->datasend("\n");
$smtp->datasend("A simple relay test message\n");
$smtp->dataend();

$smtp->quit;

The last line of code is probably unnecessary:

close STDERR;

It appears to me that the last line of code is there for good form only. Since perl closes all files at the end of the script, STDERR would be closed anyway.

However, following good form and good coding practices is important. There's really no reason why you should not explicitly close a file. By unnecessary, I only mean to say that the last line of code really doesn't change anything --- it would happen anyway.

Update: August 17, 2013

In re-reading my post, I see I got a bit off-track. I started off by turning off perl taint mode to see if I could get formmail running on an IIS server. I did get it to run but did not get it to work.

It did not work because the email relay at the hosting company was not working. So, I went looking for a program that would test the email relay.

I found a program that tested the email relay but, unfortunately, it would not work as-is in my browser. So, I found another web page that told me how to modify the program to work in my browser since I have no access to the webserver I'm working on except browser access and FTP access.

By the way. The email relay is now working. The web hosting company came through by giving me permission to relay the specific email addresses I asked them to relay.

This is probably an example of a web hosting company relaying only known email addresses so as to avoid becoming an open spam relay. Web hosting companies have to be super-careful these days about inadvertantly relaying spam.

Update: August 19, 2013

Since this post has transformed into a discourse on Net::SMTP, I've decided to continue my thoughts here:

Email Relay Testing With Perl

Update: August 22, 2013

According to this post, Windows does not need the shebang line at all:

What Should I Use for a Perl Script's Shebang line?

It appears to me that Windows uses the .pl extenstion instead to execute your Perl Script. However, if you have a shebang line with Taint mode specified, in addition to having a .pl extenstion, it seems to be a problem. Why? I don't know why.

Since ActiveState Perl (read, Windows Perl) does not use the shebang line, maybe I would be better off without the shebang. I should probably just remove the shebang line.

The rather bizarre impression I'm getting is that ActiveState Perl does not use the shebang line, but IIS web server tries to use it anyway. Is this possible? I'm not sure. I don't know enough about the interaction between IIS web server and ActiveState Perl to know why this would be true or would not be true. Just a theory right now.

Ed Abbott

Collapsing and ExpandingField PHP FormMail Generator

 
Here's a highly sophisticated formmail
generator. This one is very capable and
seems to include fileds that collapse and
expand as needed.

In other words, if a group of fields are
not applicable, they will collapse or if
they are applicable, they will expand.

This formmail program is written in PHP
and makes use of JavaScript to take care
of the expanding and collapsing fields.

Here it is:

phpFormGenerator

Ed Abbott

FormMail Character Revue, Part 1

 
Like a storybook, FormMail has
a cast of characters. These
character determine the character
of FormMail itself.

FormMail is really a character-
driven story. It is the characters
that move the story along.

In this particular case, I'm referring
specifically to NMS FormMail,
though, when it comes to a cast of
characters, any FormMail will do. That
is to say, each version of FormMail will
also have a cast of characters, though
not precisely the same as these characters.

The first character we should consider
is the @allow_mail_to array. More
than being a single person, this is an
association of sorts. It's a club.

Everyone in this club can receive a
copy of the submitted form. This is
very similar to the To Field in
an email. The @allow_mail_to array
determines who can receive the filled-out
form as an email.

The @allow_mail_to array determines
who can receive the form as email, not
who will. In this sense it is like a
country club where all club members are
are eligible to play golf but not all
will.

The next character to consider is the
%recipient_alias hash array.
This character works just like the
@allow_mail_to array except that
this character works undercover.

Whereas the @allow_mail_to array
openly publishes its membership, the
%recipient_alias hash array is
secretive about its membership. Basically,
the %recipient_alias hash array is
a secret society.

Again, %recipient_alias hash array,
is a recipient array only in terms of potential.
Not everyone on the list will receive the filled-out
form as an email.

Why? Because in the case of both the @allow_mail_to array
and the %recipient_alias hash array receivership
is determined by who actually gets their email address
listed in the HTML form itself.

That's where secrecy comes in handy. If you would
like to hide your email address from spambot harvesters,
you will prefer the %recipient_alias hash array
over the @allow_mail_to array. The %recipient_alias
hash array hides your email address by describing it
with an alias rather than publishing it directly in
the HTML of your form. This foils spammers who
would like to put you on their list to receive more
spam.

What's the lesson here? Know who you can trust. If
you know you can't trust everyone, you will not be
inclined to publish your email address in a place
where it can be read publicly.

Your website and consequently, your HTML Form
is a public place. Anyone can read it as HTML Anyone
can pick up your email address this way.

Using the %recipient_alias hash array
solves the problem. This array keeps things
simple for you. Only the FormMail program
itself knows your email address, not the general
public.

Ed Abbott

Enabling CGI to Get FormMail.pl Working

 
I just encountered something new. I'm
doing some work at a web hosting company
where I've never ever tried to get a CGI
script working before.

The name of the hosting company I'll withhold;
however, I've been happy with them in the
past, and so I'm back again having chosen them
as the web hosting company for the website
I'm currently working on.

I asked their support team, via online chat,
why the supplied test scripts that are found
in cgi-bin are not working. Turns out
that cgi-bin needs to be enabled.

Can't say I blame them for requiring this. This
is just one more layer of defense against having
the web hosting account hijacked by the bad guys.

Here's what their support team said to me via
online chat:

CGI scripts require the cgi-bin directory to be
enabled for your site, otherwise they will not
work. To enable the cgi-bin:

1. Log into your Hsphere control panel @ http://www.hosting.com/login.html
2. Click on web options.
3. Click on "Add" next to CGI dir
4. Enter /cgi-bin as the directory alias.
5. Click "Changes need to be applied".

Once you have done this, your scripts should
start working within 30 minutes.

Since this may be a layer of defense (a very
minor layer of defense) for the hosting company
in question, I've decided not to publish their
name.

However, the principle could possibly be fairly
universal. If the simplest of simple CGI scripts
does not work, it could be that CGI has to be
enabled in the web hosting account control panel.

Seems that setting up the simplest of CGI forms
can be time-consuming for this reason. In spite
of the simplicity of CGI, because of its power
and versatility, it often seems to be hobbled
in some way or another by the web hosting company.
This may be to keep the CGI folder from being obvious
to the bad guys.

Finding out how to get even the simplest CGI
script, such as FormMail, can be time-consuming
until it is realized that it is not intended
to work without intervention.

What's the lesson?

Situations that appear to be identical may not
be identical at all. Assuming that a cgi-bin
directory will actually work may not be a safe
assumption. It may turn out that what appears
to be a normal situation requires further investigation.

Each situation, no matter how similar
it may appear to be to a prior situation,
is, in reality, its own situation.

Ed Abbott

How to Do Email Forwarding From a Web Form

 

Email forwarding is when one
email account is forwarded
to another:

Here are some of the advantages
of email forwarding:

1. When you change email addresses,
   you can forward the old email address
   to the new email address
2. If you have more than one email
   address, you can forward all email
   to one email address
3. Form mail can be received
   at an email account native to
   the website form but then forwarded
   to a non-native email account.

What is a native email account? It
is youremail@yourdomain.com.
What is a non-native email account? It
is youremail@someoneelsesdomain.com.

See the difference? A native account
has your domain name included in the email
addresss. A non-native account has
a domain name other than your domain
name included in the email address.

By definition, a Gmail account is a
non-native account. By definition,
your.name@gmail.com is non-native.
That is, unless you own the domain name
gmail.com. Nobody does. It's
a corporate name owned by Google.

Corporate domain names are non-native
and the domain name that you personally
own is native. Why ami I making such
a big deal about this?

I'm making a big deal about it because
it can make the difference between
getting your form to work and not having
it work. At many hosting companies, sending
your email form to a non-native email account
is not allowed.

It's a form of spam protection. By disallowing
non-native email accounts, the web hosting
company protects themselves from being used
as a spam relay.

It's hard to relay spam if the only place the
spam ever goes to is the domain name that
is native to your website and not any
other place. That's not much of a coup
for a spammer.

More later.

Ed Abbott

FormMail and YourWeb Page Working Together

A FormMail program works together
with a web page. That's the
essential nature of formmail.

Everything has its essential
nature. The essential nature
of FormMail is a partnership.

When I say FormMail, I
really mean FormMail programs
in general. FormMail programs
are a class of program's on
the World Wide Web.

I write more about this here:

What Is Formmail?

So basically, getting FormMail
to work is all about getting
a relationship to work.

As with so many relationships,
FormMail is a partnership. It
is a partnership between a web
page that has a form on it and
a program that processes that
form.

This relationship can be defined
in steps:

1. A web visitor sees your
   form on your website.
2. Your web visitor fills
   out the form.
   
   Oftentimes, this form will be
   a contact form. Perhaps you've
   asked the web visitor to supply
   name and address information so
   that you can mail the web visitor
   more information through the mail.
3. After the web visitor fills out
   the form, the web visitor presses
   the submit button at the
   bottom of the form.
4. Once the form is submitted
   it is sent to FormMail
   as name-value pairs.
5. FormMail retrieves the information
   as fields that are name-value pairs.
   
   For example, the name of the web
   visitor might be John Smith.
   
   FormMail sees this as a name field
   that has been filled out by the
   web visitor.
   
   Typically, the name of the field
   is name and the value that
   is placed into the field is
   John Smith, for example.
   
   This is what is meant by a name-
   value pair. This is what
   FormMail sees.
   
   FormMail sees as many name-value
   pairs as it takes to complete the
   form.
   
   Here's are some possible name-value
   pairs:
   
   
   • name=John Smith
   • address=123 main st.
   • city=auburn
   • state=maine
6. FormMail takes the
   name-value pairs and places
   them into an email
7. FormMail then sends the
   email to you as the website
   owner.

This, in brief, is how FormMail
works.

Ed Abbott

What Is Formmail?

OK. This is a new blog.

What is Formmail?

The question can be answered
several different ways.

First of all, it is a script
written by Matt Wright. Here's
Matt's site:

Matt's Script Archive

Matt recommend's that you use
a more secure drop-in replacement
for his script.

Here's where Matt makes this
recommendation:

Why Matt Recommends NMS FormMail

That's the original meaning
of Formmail. However, this
meaning has morphed somewhat
to mean more than this.

We also have generic FormMail
scripts that mimic the functionality
of Matt's script.

Matt's script was written in
a programming language called
perl.

Here's an ASP script that mimics
Matt's FormMail script:

Brainjar FormMail Script

I write about this script here:

Choosing an ASP FormMail Program

Ed Abbott