How to check whether email accounts have been compromised
You can use the following command to get the dovecot logins to the email accounts in the server(attempts via email client)
egrep -o 'dovecot_login[^ ]+' /var/log/exim_mainlog | sort|uniq -c|sort -nk 1