Backup logs for their subsequent analysis and complete reinstallation.

You can only collect information about what commands were executed, see if there are any suspicious files or processes on the server, see if there are any directories and files with changed rights. View network activity to see if there were abnormal loads. In fact, based on this, you can draw conclusions about the actions of the intruder on your server and estimate what damage has been done.

It is best to rebuild everything again to exclude Easter eggs. And you need to find a hole, otherwise it will happen again.

Why would a cracker drop your postfix? Most likely, this is not about hacking, but about the incorrect configuration of the postfix itself, for example, as an open relay, or one or more of the mail accounts became known to spammers and your server was used for mass mailing and stopped responding due to resource exhaustion.
Check the logs for exactly how the mailing was done, if with authorization - reset passwords for compromised accounts. If not, configure the server in such a way as to exclude unauthorized relaying and set rate limits by IP addresses and users so that even if the account is compromised, your server does not go down on resources. If through web scripts on the same server, then look for either problematic scripts or the way the web server was compromised, if the web went to you.

There is a standard rule that any compromised server should move to a fresh installation in order to avoid a tricky backdoor

Merge everything you need-valuable, multiply the server by zero with formatting the disks (and if the virutalka just bang the disk) and install it again. And take a closer look at the settings for connecting to services.