first i don't want to blame anyone or anytinhg ISPConfig is a great tool and i am happy to have it.
what i wanted is to tell that i think that it is a security problem having ONE pwd for several issues (especially if the pwd is sented in plain text)
and i think it is very easy to install a net-sniffer programm. you only need (for example) a root-server - lets say at strato - to sniff the network traffic inside strato and so the "man in the middle" is no problem.
ok it's only my opinion but i think, that many users use the admin of the web to also send and receive email and i am not really sure, if they know the problem.