Important feature requests (security)
First, allow me to thank you for an awesome product with great potential. I managed to configure a brand new server and get a pretty good insight into how ISPConfig works in about 6-7 hours. I like how simple it is, yet packed with lots of great features.
Now, to my feature requests.
1) As far as I understand, [Fast-]CGI is the recommended way of integrating PHP, as scripts are executed with user privileges - but only as long as SuEXEC is enabled (right?). Unfortunately a client may choose not to enable SuEXEC, leaving [FAST-]CGI just as "open" as mod_php (forcing me to use PHP SAFE Mode). I would very much like to be able to force the use of SuEXEC. Either within ISPConfig, or using a configuration file (is that possible?).
2) I don't want my clients being able to enable CGI, Ruby, Python, SSL etc. for their websites, but there seems to be no options to disable these features. Again, I feel the client has too much to say in this matter.
3) I'm able to set quota for websites and e-mail accounts, but not for FTP accounts - again, the client can enter a MB value to his or her liking. Could you have it respect the quota for websites?
4) I wasn't able to remove a SSL certificate created for one of my websites. I chose "Delete certificate" from the drop down and Saved the website, but the certificate was not removed. I had to remove the entire website.
5) Why is it possible to edit ordinary client accounts under System > Edit user, when such behaviour may damage data? It should be possible to only display admin accounts (if those are safe to edit).
I hope this does not sound like a lot of complaining. I'm nearly trying to help you guys improve the product. On the other hand there's a chance my problems can be solved using alternative measures (in that case, please enlighten me).
Again, thank you very much for the great work that has been put into ISPConfig and the huge manual.