I don't think they "hacked" imscp itself. So then I think they got a password and than installed a script on your system. Purging postfix will not change anything, because the script is not included in postfix itself.
For you it's easier to install a fresh system, because may you will not find every scripts or any backdoors (if exists).
First I think, but I don't believe that had stolen my password from me.
1. Only one website attacked, more site are correct, I didn't experienced change other sites.
2. I think someone attacked for my server, because they placed the script through my site. This script continuously sends SPAM. I deleted this site, customer (I-MSCP) all data. Script is working!