diff --git a/README.md b/README.md
index 5d93ad3..e3fa671 100644
--- a/README.md
+++ b/README.md
@@ -101,7 +101,7 @@ which also works for s2s.
 
 Add this config:
 ```
--- trust connections coming from these IPs
+-- trust connections coming to these IPs
 secure_interfaces = { "127.0.0.1", "::1" }
 
 -- handle PROXY protocol on these ports
diff --git a/contrib/prosody-modules/mod_s2s_outgoing_proxy.lua b/contrib/prosody-modules/mod_s2s_outgoing_proxy.lua
index 1487a8b..c8e5ab0 100644
--- a/contrib/prosody-modules/mod_s2s_outgoing_proxy.lua
+++ b/contrib/prosody-modules/mod_s2s_outgoing_proxy.lua
@@ -28,10 +28,22 @@ module:hook("route/remote", function(event)
 	return true;
 end, -2);
 
--- is this the best place to do this?
+-- todo: is this the best place to do these hooks?
+-- this hook marks outgoing s2s as secure so we accept SASL EXTERNAL on it
 module:hook_tag("http://etherx.jabber.org/streams", "features", function (session, stanza)
 	if session.type == "s2sout_unauthed" then
         module:log("debug", "marking hook session.type '%s' secure!", session.type);
         session.secure = true;
 	end
 end, 3000);
+
+-- this hook marks incoming s2s as secure so we offer SASL EXTERNAL on it
+module:hook("s2s-stream-features", function(event)
+	local session, features = event.origin, event.features;
+	if session.type == "s2sin_unauthed" then
+        module:log("debug", "marking hook session.type '%s' secure with validated cert!", session.type);
+	    session.secure = true;
+    	session.cert_chain_status = "valid";
+    	session.cert_identity_status = "valid";
+    end
+end, 3000);
diff --git a/integration/25-s2s-sasl-external/tests b/integration/25-s2s-sasl-external/tests
deleted file mode 100644
index e2efe61..0000000
--- a/integration/25-s2s-sasl-external/tests
+++ /dev/null
@@ -1 +0,0 @@
-juliet_presence.scs  romeo_messages_juliet.scs  romeo_presence.scs
\ No newline at end of file