We sometimes get compromised accounts which are difficult to trace from just looking at the logs.
I just discovered a neat way to tag each sent mail with a header showing the authenticated user that sent it.
As user Zimbra (Zimbra 8.x)...
Now emails will contain a header such as...
postconf -e 'smtpd_sasl_authenticated_header = yes'
Hope that helps.
Received: from simon.example.com (unknown [22.214.171.124])
(Authenticated sender: simon)
by mail.example.com (Postfix) with ESMTPSA id 9E2C0200108
for <email@example.com>; Mon, 14 Apr 2014 13:13:23 +0100 (BST)