We wrote a shell script that runs hourly and notifies us for SASL authentications with IPs for at least 2 different countries in the previous hour. In the future we plan to automatically change the password if SASL authentications are from 3 different countries. This catches most of the hacked e-mail accounts.
Also we use Postfix relays with Rspamd checking the From header (we don't allow users to spoof From address) and doing rate limits (500 e-mails / hour). If someones tries to send more e-mails then the extra e-mails go to queue for later delivery. So we have some time to manually check.
