The example in "man encrypt" is the culprit. It extracts the bits from each byte upwards into the bit vector, i.e. offset 0 = bit 0 from byte 0, offset 1 = bit 1 from byte 0, offset 2 = bit 2 from byte 0 and so on.
If doing it as in the Claws Mail source code, the ciphertext is the same for all three DES APIs. Claws Mail unpacks the bits in decreasing (!) order.
That looks promising.
The following patch would be one solution: https://mschwendt.fedorapeople.org/claws-mail-3.16.0-encrypt-nettle.patch