When setting up dsync for replication, what should the user permissions be for sync over ssh?

I'm running virtual users only. Postfix and Dovecot services run as mail:mail. All the maildir folders are owned by mail:mail and permissions are 700. User mail is not allowed login.

So whats the best practice in respect to security to allow for dsync over ssh?

So of the options I consider:

1. change postfix/dovecot settings so that maildirs are created with 770 permissions, then create a user dsync:mail that is allowed for ssh login.

2. permit user mail to login using ssh

3)go with tcp sync rather than ssh

Other suggestions?

PG