diff --git a/src/applications/metamta/adapter/PhabricatorMailImplementationPostmarkAdapter.php b/src/applications/metamta/adapter/PhabricatorMailImplementationPostmarkAdapter.php
--- a/src/applications/metamta/adapter/PhabricatorMailImplementationPostmarkAdapter.php
+++ b/src/applications/metamta/adapter/PhabricatorMailImplementationPostmarkAdapter.php
@@ -73,12 +73,24 @@
       $options,
       array(
         'access-token' => 'string',
+        'inbound-addresses' => 'list<string>',
       ));
+
+    // Make sure this is properly formatted.
+    PhutilCIDRList::newList($options['inbound-addresses']);
   }
 
   public function newDefaultOptions() {
     return array(
       'access-token' => null,
+      'inbound-addresses' => array(
+        // Via Postmark support circa February 2018, see:
+        //
+        // https://postmarkapp.com/support/article/800-ips-for-firewalls
+        //
+        // "Configuring Outbound Email" should be updated if this changes.
+        '50.31.156.6/32',
+      ),
     );
   }
 
diff --git a/src/applications/metamta/controller/PhabricatorMetaMTAPostmarkReceiveController.php b/src/applications/metamta/controller/PhabricatorMetaMTAPostmarkReceiveController.php
--- a/src/applications/metamta/controller/PhabricatorMetaMTAPostmarkReceiveController.php
+++ b/src/applications/metamta/controller/PhabricatorMetaMTAPostmarkReceiveController.php
@@ -20,6 +20,21 @@
       return new Aphront404Response();
     }
 
+    $remote_address = $request->getRemoteAddress();
+    $any_remote_match = false;
+    foreach ($mailers as $mailer) {
+      $inbound_addresses = $mailer->getOption('inbound-addresses');
+      $cidr_list = PhutilCIDRList::newList($inbound_addresses);
+      if ($cidr_list->containsAddress($remote_address)) {
+        $any_remote_match = true;
+        break;
+      }
+    }
+
+    if (!$any_remote_match) {
+      return new Aphront400Response();
+    }
+
     $unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();
     $raw_input = PhabricatorStartup::getRawInput();
 
diff --git a/src/docs/user/configuration/configuring_outbound_email.diviner b/src/docs/user/configuration/configuring_outbound_email.diviner
--- a/src/docs/user/configuration/configuring_outbound_email.diviner
+++ b/src/docs/user/configuration/configuring_outbound_email.diviner
@@ -157,6 +157,23 @@
 To use this mailer, set `type` to `postmark`, then configure these `options`:
 
   - `access-token`: Required string. Your Postmark access token.
+  - `inbound-addresses`: Optional list<string>. Address ranges which you
+    will accept inbound Postmark HTTP webook requests from.
+
+The default address list is preconfigured with Postmark's address range, so
+you generally will not need to set or adjust it.
+
+The option accepts a list of CIDR ranges, like `1.2.3.4/16` (IPv4) or
+`::ffff:0:0/96` (IPv6). The default ranges are:
+
+```lang=json
+[
+  "50.31.156.6/32"
+]
+```
+
+The default address ranges were last updated in February 2018, and were
+documented at: <https://postmarkapp.com/support/article/800-ips-for-firewalls>
 
 
 Mailer: Amazon SES