DualBoot wrote:just grep user_saslname , not with the account name.
Then sort and count. Maybe the user_saslname is different from the sender.
An other explanation is the use of the webmail by the attacker.
yeah sure, but i've a question.
every time an user send an email i've to see a line on zimbra.log with sasl_username of sender right?
Because i've sent right now an email from that server and i haven't sasl_username line on log