Requiring confirmation from the old email is not a good idea for the reason already mentioned.
Asking for password reentry to change the mail address would be good. If you have left your browser open where other people could have access to it, then it gives an extra measure of protection. Requiring a signed blockchain message for an email change could be a good way to stop this type of hijack.

Requiring email confirmation on signup is also good to help reduce spammers. It doesn't help in this case, but I believe it would be beneficial for the forum.

{reply crafted before the previous post was submitted}