As a user, sharing successful login IPs by default feels high-friction and discourages me from trying Lightmeter
I thought it was worth sharing a user perspective here on the "share login attempts by default" - I heard about Lightmeter recently, thought it seemed a nice project, decided to try it out, and was very quickly put off by what appears to be the default (without an option) to share every user's successful login record with the hosted service.
Your rationale makes sense (helping people detect credential-stuffing attacks by sharing a list of blocked IPs), but I thought it was worth sharing feedback that this request seems likely to (at least for me) be quite discouraging for someone that self hosts email (and thus is the target audience). As a user/server admin, I'd have no issue sharing unsuccessful logins with Lightmeter (as well as attempts to use the server as an open relay, or trying to send "as" a local email address), but sharing successful logins seems very intrusive. Before trying the tool out, users are more sceptical of claims etc - I want to see it work for themselves before I will turn on something like this.
I don't need to use Lightmeter to restrict access to my mail server - I don't need to share successful login entries, and I won't benefit from doing so, as far as I can see. I am now running an older version (1.8.2) of the tool (per a suggestion I believe I read in the information about this choice), wondering if the issues I'm encountering with Lightmeter parsing my logs are fixed in a newer version or not. To use a newer version, I'd need to manually patch the source to remove the IP/login sharing functionality . This is a fairly significant hurdle just to try out a new tool, meaning I'm pretty firmly pushed away from Lightmeter as a user. I don't know if this is your intention or if any users have shared this perspective with you?
Would there be reduced user friction if there was a prominent option at setup to share only unsuccessful logins, or maybe (for more sensitive users) login attempts for only non-existent usernames, unauthenticated relay attempts, etc? Or perhaps an option to allow users to use Lightmeter without sharing logins and user IPs, for those not wishing to enable the (unnecessary, in my opinion) postfix/dovecot authentication pre-filters, which benefits from the data? Any of these options would reduce friction enough to get me to install a new version, but the current situation just presents too much user friction to be willing to try a newer version without going to the effort of manually patching the source to send null IPs.