First you need to know if they've actually compromised your server or are just spoofing your mail server's address. Did you look in the logs? Are you seeing unusual activity in your database server, web server, mail server? Are you seeing unusual network activity?
If the server has been compromised, you need to take it offline and will probably have to wipe and reinstall from known-good backups, and apply updates to all your components and frameworks. Have you been keeping up to date on those?
Have you run any intrusion detection software? Something like Tripwire, taking MD5's of your files so you can tell what's been changed? Did you run any rootkit-detection programs to find out how someone could have gotten in, or what may be installed?
If your server was compromised, if someone else got root, they could easily have replaced system binaries so you can't trust anything. Not even ls or ps or top, which could have been replaced with rootkit stuff to hide malware processes. The only thing you could really do is connect another known-clean system to the network and look to see what unusual activity is originating from your server.
There's a decent chance that you can find some activity in the log files if the intruder didn't cover his or her tracks. But again, you can't trust them fully if it was a compromise. You can only get around that by configuring your logging daemon to mirror logs to another server whose sole purpose is to aggregate logs from systems.
So determine if your server has indeed been compromised, and if you have any indication of it, take it offline and clean it by reinstalling from known good backups. Make a forensic copy of your drives if you want to try figuring out what happened.