Well, after finding the above part where the user "brandon" was trying to login, I created that login a while ago as a temporatly solution for one of my friends. It was a very simple "brandon/brandon" username/password and I wasn't too worried of anyone guessing it because if they loggen in, they would only have access to that folder (web31) and the only thing to delete would have been my one PHP file I made to redirect to a different page.
Everything in the /etc/passwd file looks normal to me. I deleted "brandon" and it's no longer in the file. I'll try the link you gave me.
disabling sasl means no one is allowed to send except that the IP of the sender is within mynetworks.
So wouldn't that mean only my IP then? If I disable SASL and they can't login remotely, then only my IP should be allowed to send.