hardening: reject authentication with empty passwd

SSH defaults to disallowing empty passwords but Dovecot has no similar safeguard (at least not one enabled by default). Remove "nullok" from /etc/pam.d/system-auth to implement the desired behavior system-wide.