Just adding some info to the discussion, you can create domain_create_post.sh to be called by DA after a domain is created. You can run anything you'd like:
http://www.directadmin.com/features.php?id=183
At the moment, you can implement email user forward creation modification using the API:
http://www.directadmin.com/features.php?id=411
So, only 1 account can do it, yes (the DA account), but entering the user/pass for that DA account into a script to do all the work for you and then have users access your script would also work.
As for email accessing forwarders without needing the DA user password (even if only the script knows it), it could only work if they also had a pop account associated with it. This is because forwarders don't have passwords. DA could give the user the ability to add a forwarder in addition to their pop account, however that would not stop email from being saved in addition to being forwarded. If the email user only wanted a forwarder and not to save any email in his pop account, then the pop has to be deleted... thus also deleting the password that goes with it.. and DA can no longer authenticate an email user to access a forwarder.
So at the moment, the API method is probably the solution for automated forwarder creation by email users, but each seperate domain would need a copy of it's own API script because each domain has a different user. OR you can use an Admin account (eg, create admin2), but that's more risky having the password saved in a script. You can lessen this risk if you use an Admin account with the API with this technique (different commands though:
http://help.directadmin.com/item.php?id=150
John
