The spam is coming from localhost. It doesn't appear to be an open relay. It looks like some script on the server itself is allowing this sending attempt. The web logs for the same time and/or spam start time should be investigated to try to identify which scripts are allowing this.
The following files/directories must be scanned:
/usr/local/apache/logs/
/usr/local/apache/domlogs/
/usr/local/cwpsrv/var/services/roundcube/logs/
my thought exactly. Since php mail is disabled, you will have to go the route of "process of elimination".
Btw, make sure mail in php is diabled by confirming that it's disabled everywhere:
Check "disable_functions = mail"
PHP-FPM- /opt/alt/php-fpm**/usr/php/php.ini
PHP-CGI- /opt/alt/php**/usr/php/php.ini
PHP-Main- /usr/local/php/php.ini
PHP-CWP- /usr/local/cwp/php71/php.ini <-- [Not sure if webpanel mail will break if disabled here]
Another measure is to put this in main.cf file:
smtpd_sender_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_sender,
reject_unknown_sender_domain
and to make it more strict, is to change the order of the first two lines, but the server won't be able to send mail without authentication:
smtpd_sender_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_non_fqdn_sender,
reject_unknown_sender_domain