I have the following ACLs configured on a directory (.ssh) at the destination of my rsync:

# file: .ssh
# owner: jsmith
# group: jsmith
user::rwx
user:backup:r-x
group::---
group:backup:r-x
mask::r-x
other::---
default:user::rwx
default:user:backup:r-x
default:group::---
default:group:backup:r-x
default:mask::r-x
default:other::---

I am using rsync with the options -aXzv to transfer the .ssh directory between two servers, and after the transfer, the destination has the following ACLs:

# file: .ssh
# owner: jsmith
# group: jsmith
user::rwx
user:backup:r-x            #effective:---
group::---
group:backup:r-x           #effective:---
mask::---
other::---
default:user::rwx
default:user:backup:r-x
default:group::---
default:group:backup:r-x
default:mask::r-x
default:other::---

The source directory has these ACLs:

# file: .ssh
# owner: jsmith
# group: jsmith
user::rwx
group::---
other::---

Notice the destination mask has changed from r-x (before the rsync) to --- (after the rsync).

Why is this happening, and how can I use rsync to retain the source user, group, and other permissions while preserving the destination's extended ACLs such that the backup user has full execute and write permissions after the rsync operation?

EDIT: Both servers are running rsync 3.0.9, both server filesystems have ACLs enabled. The source server uses ext3 and the destination server uses ext4.