Dovecot: no system user login via pam

Question

I try to migrate my IMAP server. The old host is working fine, the new host does not accept system users.

root@bywater ~ # lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 22.04.4 LTS
Release:        22.04
Codename:       jammy
root@bywater ~ # doveconf -n
# 2.3.16 (7e2e900c1a): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.16 (09c29328)
# OS: Linux 5.15.0-101-generic x86_64 Ubuntu 22.04.4 LTS
# Hostname: bywater.qno.de
auth_debug = yes
auth_debug_passwords = yes
listen = 65.21.136.15, [::]
mail_location = maildir:~/Maildir
mail_privileged_group = mail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix =
}
passdb {
  args = dovecot
  driver = pam
}
plugin {
  sieve = file:~/sieve;active=~/.dovecot.sieve
}
postmaster_address = [email protected]
protocols = " imap sieve"
service auth-worker {
  user = vmail
}
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
  }
  user = dovecot
}
service imap-login {
  inet_listener imap {
    port = 143
  }
  inet_listener imaps {
    port = 993
    ssl = yes
  }
}
service lmtp {
  unix_listener lmtp {
    group = postfix
    mode = 0600
    user = postfix
  }
}
ssl = required
ssl_cert = </etc/letsencrypt/live/imap2.qno.de/fullchain.pem
ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
syslog_facility = local0
userdb {
  driver = passwd
}
verbose_proctitle = yes

System user is able to login via SSH and sudo with his password.

Dovecot works fine with virtual users by SQL (for tests commented out).

root@bywater /etc/dovecot/conf.d # doveadm auth test qno xxxxx
passdb: qno auth failed
extra fields:
  user=qno

/var/log/dovecot/dovecot.info:

Mar 25 22:53:09 bywater dovecot: auth-worker(339514): conn unix:auth-worker (pid=339512,uid=110): auth-worker<1>: pam(qno,93.203.92.183,<gUDsMoMU395dy1y3>): pam_authenticate() failed: Error in service module
Mar 25 22:53:09 bywater dovecot: auth-worker(339515): conn unix:auth-worker (pid=339512,uid=110): auth-worker<1>: pam(qno,93.203.92.183,<2ljsMoMU3t5dy1y3>): pam_authenticate() failed: Error in service module
Mar 25 22:53:14 bywater dovecot: auth-worker(339514): conn unix:auth-worker (pid=339512,uid=110): auth-worker<2>: pam(qno,93.203.92.183,<gUDsMoMU395dy1y3>): pam_authenticate() failed: Error in service module
Mar 25 22:53:14 bywater dovecot: auth-worker(339515): conn unix:auth-worker (pid=339512,uid=110): auth-worker<2>: pam(qno,93.203.92.183,<2ljsMoMU3t5dy1y3>): pam_authenticate() failed: Error in service module
Mar 25 22:53:16 bywater dovecot: imap-login: Disconnected: Connection closed (auth failed, 2 attempts in 9 secs): user=<qno>, method=PLAIN, rip=93.203.92.183, lip=65.21.136.15, TLS, session=<2ljsMoMU3t5dy1y3>
Mar 25 22:53:16 bywater dovecot: imap-login: Disconnected: Connection closed (auth failed, 2 attempts in 9 secs): user=<qno>, method=PLAIN, rip=93.203.92.183, lip=65.21.136.15, TLS, session=<gUDsMoMU395dy1y3>

I googled a lot. The problem arises in different configurations, but no solution worked here. Usually, i produce problems by forgetting sth very simple. What did i wrong here?

TIA QNo