Note that SOAP auth with the zimbra account by itself isn't a sign for an attacker on your system. Some Carbonio cronjobs use this, too, see crontab -e as zextras and compare the times with the occurrence of SOAP auths as zimbra. In my case, this explained daily zimbra auths at 2:15, 22:00 and 23:45. Plus, the cmbackup script I'm running uses this authentication for several auths starting at 1:30 on my server. Moreover, during the upgrade process today and probably for the recommended LDAP backup, too, there were several auths today.
However, I had accesses I'm not sure about shortly after 3am at Jan 1st, 3rd, 5th, and 9th that are so regular that I'm wondering if that isn't some cronjob, too, and irregular accesses on Jan 5th at 1:44 and 11:41, on Jan 7th at 12:46, and on Jan 9th on 3:52. Plus, PreAuth keys had been set for all my domains, and I can't remember having set those myself.
Otherwise, I haven't yet found any irregular activity, so I hope that the hackers that seem to have visited my server have just paved the way for future campaigns and now won't be able to do anything as I have deleted the PreAuth keys and changed the LDAP account password.
I'd be happy if somebody could tell me what the attacker theoretically could have done with the access they had so I can have a look if really everything is in order.