Sometimes email accounts get hacked and it can be nuisance for the server administrator.

For Zimbra administrators; most of the time the admin will pretty quickly work out that somebody’s account has been hacked because the mail queue will be completely full of emails and there will be complaints that emails are not being delivered. However what admins have problem is working whose email account has been hacked.

A lot of resource online show how to clear mail queues but very few actually show you how to work out whose email account has been hacked.

The log to look at is /var/log/zimbra.log (if you are using CentOS).

What you do is make a copy of zimbra.log somewhere and then do whatever you need to do with that. So you can do:-

cp /var/log/zimbra.log /root/zimbra.2022jun28.log
cat/root/zimbra.2022jun28.log | grep sasl_username

If you see a particular account coming up a lot then it’s most likely this email account has been hacked:-

If you see intervals of seconds between each email sent out that then you’ll know that that account has been hacked. Then you can login into Zimbra Admin to change the password for that account.

To delete all deferred emails within the queue you can do the following:-

To delete all deferred emails (run as root):-

On Zimbra 8 this command
/opt/zimbra/common/sbin/postsuper -d ALL deferred

On Zimbra 7 the command is:-
/opt/zimbra/postfix/sbin/postsuper -d ALL deferred