diff --git a/docs/configuration.rst b/docs/configuration.rst
index 1a40bf65..fee15737 100644
--- a/docs/configuration.rst
+++ b/docs/configuration.rst
@@ -100,6 +100,12 @@ by setting ``INBOUND_TLS_ENFORCE`` to ``True``. Please note that this is forbidd
 internet facing hosts according to e.g. `RFC 3207`_ , because this prevents MTAs without STARTTLS
 support or e.g. mismatching TLS versions to deliver emails to Mailu.
 
+The ``SCAN_MACROS`` (default: True) setting controls whether Mailu will endavour
+to reject emails containing documents with malicious macros. Under the hood, it uses
+`mraptor from oletools`_ to determine whether a macro is malicious or not.
+
+.. _`mraptor from oletools`: https://github.com/decalage2/oletools/wiki/mraptor
+
 .. _`RFC 3207`: https://tools.ietf.org/html/rfc3207
 
 .. _fetchmail:
diff --git a/setup/flavors/compose/docker-compose.yml b/setup/flavors/compose/docker-compose.yml
index 11af9eff..fe766c0d 100644
--- a/setup/flavors/compose/docker-compose.yml
+++ b/setup/flavors/compose/docker-compose.yml
@@ -103,6 +103,7 @@ services:
       - {{ dns }}
     {% endif %}
 
+{% if oletools_enabled %}
   oletools:
     image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}oletools:${MAILU_VERSION:-{{ version }}}
     hostname: oletools
@@ -115,21 +116,26 @@ services:
     dns:
       - {{ dns }}
     {% endif %}
+{% endif %}
 
   antispam:
     image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}rspamd:${MAILU_VERSION:-{{ version }}}
     hostname: antispam
     restart: always
     env_file: {{ env }}
+{% if oletools_enabled %}
     networks:
       - default
       - noinet
+{% endif %}
     volumes:
       - "{{ root }}/filter:/var/lib/rspamd"
       - "{{ root }}/overrides/rspamd:/etc/rspamd/override.d:ro"
     depends_on:
       - front
+{% if oletools_enabled %}
       - oletools
+{% endif %}
       - redis
     {% if resolver_enabled %}
       - resolver
@@ -217,6 +223,8 @@ networks:
         {% if ipv6_enabled %}
         - subnet: {{ subnet6 }}
         {% endif %}
+{% if oletools_enabled %}
   noinet:
     driver: bridge
     internal: true
+{% endif %}
diff --git a/setup/flavors/compose/mailu.env b/setup/flavors/compose/mailu.env
index cc99912e..980788ce 100644
--- a/setup/flavors/compose/mailu.env
+++ b/setup/flavors/compose/mailu.env
@@ -58,6 +58,9 @@ WEBDAV={{ webdav_enabled or 'none' }}
 # Antivirus solution (value: clamav, none)
 ANTIVIRUS={{ antivirus_enabled or 'none' }}
 
+# Scan Macros solution (value: true, false)
+SCAN_MACROS={{ oletools_enabled or 'false' }}
+
 ###################################
 # Mail settings
 ###################################
diff --git a/setup/templates/steps/compose/02_services.html b/setup/templates/steps/compose/02_services.html
index a801f807..cb9ba807 100644
--- a/setup/templates/steps/compose/02_services.html
+++ b/setup/templates/steps/compose/02_services.html
@@ -55,6 +55,15 @@ the security implications caused by such an increase of attack surface.<p>
   <i>Fetchmail allows users to retrieve mail from an external mail-server via IMAP/POP3 and puts it in their inbox.</i>
 </div>
 
+<div class="form-check form-check-inline">
+  <label class="form-check-label">
+    <input class="form-check-input" type="checkbox" name="oletools_enabled" value="true" checked>
+    Enable oletools
+  </label>
+
+  <i>Oletools scans documents in email attachements for malicious macros. It has a much lower memory footprint than a full-fledged anti-virus.</i>
+</div>
+
 <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.6.0/jquery.min.js"></script>
 
 <script type="text/javascript" src="{{ url_for('static', filename='render.js') }}"></script>