I found that "Email Routing" is very insecure. It's possible to take over an email from other clients on our server.

example:
We have two clients on one server: VIP and SMARTGUY
VIP client have a domain: vip.com
and mailboxes eg: boss@vip.com, ...

When SMARTGUY have a "Email Routing" enabled in his ISP panel he can redirect all VIP emails to his outside mail server.

All he has to do is:
1. Configure his outside mailserver to accept emails from "vip.com" (and configure mailboxes, or some catchall).
2. Configure in panel on his account "SMARTGUY" in "Email Routing":
- Domain: vip.com
- Destination: smartguymailserv.com (or simply "*"!)

And all emails for vip.com are redirected to his SMARTGUY server.

"Email Routing" is disabled in default client templates, but some admins may it enable and may not be aware of the danger.

This is not insecure, its the purpose of this function to redirect any kind of email address, protocol or domain to any other destination. So the function can not be restricted without loosing its functionality. If a admin does not know what the function is for, he shall not enable it. If ISPConfig disables a function in its defaults then there are good reasons too do that.

I think that the function can be restricted by check that domain is/or isnt used by any client. Only for listed in "Relay Recipients" menu.

best regards.

This functions is not just for domains. So the value can be anything incl. custom transports defined in main.cf, so checking for a domain will not work. Thst why we decided to disable it as default.