diff --git a/postfix/lang/en b/postfix/lang/en
index 80b9983f4..19819fddc 100644
--- a/postfix/lang/en
+++ b/postfix/lang/en
@@ -846,8 +846,8 @@ sasl_level_secure=Secure-channel TLS
 sasl_login=SMTP login to outgoing mail host
 sasl_nologin=None needed
 sasl_userpass=Login as $1 with password $2
-sasl_elogin=Missing or invalid SMTP login
-sasl_epass=Invalid SMTP password
+sasl_elogin=Missing or invalid SMTP login (no spaces or colons allowed)
+sasl_epass=Invalid SMTP password (no spaces allowed)
 
 client_title=SMTP Client Restrictions
 client_ecannot=You are not allowed to edit SMTP client restrictions
diff --git a/postfix/sasl.cgi b/postfix/sasl.cgi
index 6c97adc4f..31722dbdc 100755
--- a/postfix/sasl.cgi
+++ b/postfix/sasl.cgi
@@ -88,7 +88,7 @@ if ($rh) {
 	$pmap = &get_maps("smtp_sasl_password_maps");
 	foreach my $o (@$pmap) {
 		if ($o->{'name'} eq $rh) {
-			($ruser, $rpass) = split(/:/, $o->{'value'});
+			($ruser, $rpass) = split(/:/, $o->{'value'}, 2);
 			}
 		}
 	}
diff --git a/postfix/save_sasl.cgi b/postfix/save_sasl.cgi
index c766f8866..e0d529529 100755
--- a/postfix/save_sasl.cgi
+++ b/postfix/save_sasl.cgi
@@ -23,7 +23,7 @@ if ($in{'smtpd_tls_CAfile_def'} eq "__USE_FREE_FIELD__") {
 # Validate remote mail server login
 if (!$in{'login_none'}) {
 	$in{'login_user'} =~ /^[^: ]+$/ || &error($text{'sasl_elogin'});
-	$in{'login_pass'} =~ /^[^: ]*$/ || &error($text{'sasl_epass'});
+	$in{'login_pass'} =~ /^[^ ]*$/ || &error($text{'sasl_epass'});
 	}
 
 &lock_postfix_files();