You should be using MIME::Lite instead, or maybe Mail::Sender or one of the other mail sending modules. Especially having a "mail sending program" available under /var/www/cgi-bin seems highly problematic as that program will likely be accessible from the outside by crafting a HTTP access.

In your invocation, you have

   '-t','$email_to',
[download]

... but single quotes do not interpolate. You want to leave out the single quotes. But see above for the use of MIME::Lite instead.

WAIT! ^ MIME::Lite is not recommended by its current maintainer. There are a number of alternatives, like Email::MIME or MIME::Entity and Email::Sender, which you should probably use instead. MIME::Lite continues to accrue weird bug reports, and it is not receiving a large amount of refactoring due to the availability of better alternatives. Please consider using something else.

This message is on the cpan page of MIME::Lite

Should I use it?

It works quite well for me, and does so since at least 7 years, so I don't see the reason why it shouldn't be recommended. I don't think that the Email namespace is inherently bad either, but I haven't used any of the modules so I can't recommend any specific module.

It is faster for a programmer who is familiar with shell tools to use system (45 seconds) than to spend an hour or 2 to install and read the POD and write up and test examples on a cpan library. The location of sendmail is a security problem here tho.

What the problem may be?