If you read the entire thread again, this started as emails being sent via an email client program, at that point they had to have username/password to send it via Virtualmin.
I then blocked email client programs, so they logged into Usermin - evidence being the emails in the Sent folder and knowing that they had the password at that point.
I then changed the user password, yet a day later they were back sending via Usermin - evidence emails in Sent again.
The log from the Vmin server shows the emails being delivered to my outgoing filter server. The outgoing filter server log shows the emails coming from the Vmin server. The header shows that the email originated from Usermin. “X-Mailer: Usermin 1.860”
I can post the full header, but it would need significant editing for privacy reasons, perhaps I could sent it as a job ticket.
There is no evidence to make me suspect that the server is the problem. It’s a relatively new RHEL 9.1 install with very little added (mainly MC). and both the OS and VMin are up to date. The system logs - maillog, messages, secure don’t raise any red flags.
The only log that bothers me is usermin/miniserv.log as it doesn’t show the dodgy logins, bit nor does it show legitimate logins for that user from the 18th until late afternoon on the 21st , yet there were legitimate emails sent from Usermin in that time.
Possibly the user was logged in all that time from the 17th to the 21st, but what about the dodgy emails unless the hackers are in the device that was logged in all that time.
I am being very open minded about what might have happened, but to me it still looks like they access Usermin which would have required the Username/Password unless there is a flaw in Usermain - which there is no evidence of.
Anyway, at the end of the day, more and detailed logging will always be useful for investigating unexpected stuff.