What user permissions are needed for executing "doveadm dsync-server"?

Question

I'm trying to copy mail from one server (mail1) serving for example.com to another (mali2) and the docs at https://doc.dovecot.org/3.0/man/doveadm-sync.1/ say that I can do

doveadm sync -u username@example.com ssh -i id_dsa.dovecot mailuser@example.com doveadm dsync-server -u username@example.com

It's not perfectly clear but I guess here mailuser@example.com is for an account mailuser that ssh can use to log into example.com (which in my case is mail1).

So I created mailuser on mail1, verified that ssh will let me in, and tried running this:

useracc@mail2:~$ doveadm sync -u username@example.com ssh -i id_dsa.dovecot mailuser@mail1 doveadm dsync-server -u username@example.com
doveadm(useracc): Error: net_connect_unix(/var/run/dovecot/stats-writer) failed: Permission denied
doveadm(username@example.com): Fatal: setgid(5000(vmail) from userdb lookup) failed with euid=1000(useracc), gid=0(root), egid=0(root): Operation not permitted (This binary should probably be called with process group set to 5000(vmail) instead of 0(root))

It does seem like permissions problem so I put sudo in front of it and tried again and got this

useracc@mail2:~$ sudo doveadm sync -u username@example.com ssh -i id_dsa.dovecot mailuser@mail1 doveadm dsync-server -u username@example.com
[sudo] password for useracc: 
doveadm(username@example.com)<3916205><>: Error: auth-master: userdb lookup(username@example.com): Auth USER lookup failed
doveadm(username@example.com): Error: User lookup failed: Internal error occurred. Refer to server log for more information.
dsync-local(username@example.com)<lAmcH6o/HWYh4QAAbmxPTQ>: Error: read(remote) failed: EOF (version not received)

This now looks like permissions problem for mailuser@mail1 so I ssh'ed in as mailuser@mail1 and tried

mailuser@mail1:~$ doveadm dsync-server -u username@example.com
doveadm(mailuser): Error: net_connect_unix(/var/run/dovecot/stats-writer) failed: Permission denied
doveadm(username@example.com)<3919456><>: Error: auth-master: userdb lookup(username@example.com): Auth USER lookup failed
doveadm(username@example.com): Error: User lookup failed: Internal error occurred. Refer to server log for more information.

so it really happens to be a permissions problem.

This user has no password (uses PubkeyAuthentication) so I can't do sudo here. But even if I could do I don't see how to add sudo to the command sent from mail2 ... Anyway, just to make sure, I tried the same command (without sudo) with another account (member of the root group) on mail1 and the result was similar (though not exactly the same):

useracc@mail1:~$ doveadm dsync-server -u username@example.com
doveadm(useracc): Error: net_connect_unix(/var/run/dovecot/stats-writer) failed: Permission denied
doveadm(username@example.com): Fatal: setgid(5000(vmail) from userdb lookup) failed with euid=1000(useracc), gid=0(root), egid=0(root): Operation not permitted (This binary should probably be called with process group set to 5000(vmail) instead of 0(root))

And then running it with sudo got me something which looks like a running server's terminal output!!!

useracc@mail1:~$ sudo doveadm dsync-server -u username@example.com
[sudo] password for useracc: 
VERSION dsync   3   5
Hhostname   sync_ns_prefix  sync_box    sync_box_guid   sync_type
.....

So now I'm sure it's a permissions problem for mailuser@mail1 to start the server but I can't figure out exactly what permissions are needed?!? I can't find anything in the documentation. I doubt I'm expected to login as root in order to accomplish this task ...

I wonder if someone can point me to a more detailed guide which explains the setup on the source and target machines for sync'ing mail with doveadm?