The referer value is trivially forged, so putting code to check it is a false security step (and a bit distracting). If you don't protect this with SSL, you're gonna get bit. (I hope you're aware that BasicAuth is trivially sniffed.)

And, your .forward has to be owned by you, not by the web user, and not writable by group or world, or else it will be ignored by every sensible MTA that I've seen.

Also, calling a bunch of shell-outs in a Perl program for things that are trivially done in Perl doesn't win any points for style. In fact, it has the negative impact in that if you decide to make this script setuid to fix the previous problem, your script will no longer work!

In summary, nice idea, but poor implementation.

-- Randal L. Schwartz, Perl hacker
Be sure to read my standard disclaimer if this is a reply.