Follow-up if people ends up in a similar situation of have similar concerns.
I think good indicators for suspect behaviors are :
- Many messages pending in mail queue with weird recipient names:
mailq
- Many different IPs appearing in the output of
grep -nr "sasl_username" /var/log/mail.info{,.1} | grep -E -o "client=.*," | sort | uniq -c | sort -n
- And/or many servers rejecting emails with error code 4xx (here I used specific keywords, it’s a bit difficult to distinguish between issues on the remote server vs. issues that may relate to a compromised server)
grep -nr 'said: 4' /var/log/mail.info{,.1} | grep 'too quickly\|complaints\|Throttled\|Policy Rejection'