Hello Jorge, thanks for your answer. A few hours ago I figured out what was the problem: the compromised user has 2 accounts on our server, on different domains; probably both accounts where hacked (they had the same password...), but I was closing and investigating only one of them. The domain part was missing in zimbra.log lines (I saw only lots of logins for user.name, not user.name@domain1 or user.name@domain2), but I forgot that we have a default domain that does not require the domain part in the username to login.
Changing the password on the secondary account blocked the spamming.
Only a note, since I investingated a lot because of this puzzling problem: the lines regarding admin interface and port 7071 are normal! This post from Quanah explains it well: viewtopic.php?p=266783#p266783
Port 7071 is the port used by AUTH requests via SOAP. So when user X connects to port 465/587 to send email via Postfix, and they AUTH to do so, that generates a SOAP request TO port 7071 on their behalf to auth them. Trying to block port 7071 will only make it so NO ONE can send email via 465/587. Since the SOAP request is generated on the MTA that is why you see your SERVER IP.
But I did not find any documentation about this flow...only a few topics on this forum with scared people wondering why hackers got access to their web admin interface, that is blocked from the internet by firewall...like I was.
Hope re-posting this explanation will help!