diff --git a/.gitignore b/.gitignore
index 2c16a19..3b505dd 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,7 @@
 *.tfvars
 *.brokerpak
+# Configuration for the CSB CLI client.
+clientconfig.yml
+# Configuration for the CSB server.
 secrets.env
 zscaler.crt
diff --git a/brokerpaks/cg-smtp/client/.gitignore b/brokerpaks/cg-smtp/client/.gitignore
index 15c50c4..6eb9649 100644
--- a/brokerpaks/cg-smtp/client/.gitignore
+++ b/brokerpaks/cg-smtp/client/.gitignore
@@ -1,3 +1,5 @@
 bindings.txt
+bindings.txt.history
 credentials.json
 instances.txt
+instances.txt.history
diff --git a/brokerpaks/cg-smtp/client/bin/down.sh b/brokerpaks/cg-smtp/client/bin/down.sh
new file mode 100755
index 0000000..99c5e23
--- /dev/null
+++ b/brokerpaks/cg-smtp/client/bin/down.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+set -eo pipefail
+
+# Work around the broker not having a command like `csb client list` by tracking the
+# instances and bindings we've created.
+
+if [ "$#" -lt 1 ]; then
+  printf "Usage:\n\n\t\$./down.sh /path/to/workdir\n\nWorking directory must match the directory passed to up.sh."
+  exit 1
+fi
+
+workdir=$1
+
+cat "${workdir}/bindings.txt" | xargs -n 2 bash -c 'cloud-service-broker client unbind --config clientconfig.yml --planid 35ffb84b-a898-442e-b5f9-0a6a5229827d --serviceid 260f2ead-b9e9-48b5-9a01-6e3097208ad7 --instanceid $1 --bindingid $2' -
+echo "\n\n$(date)" >> bindings.txt.history
+cat ${workdir}/bindings.txt >> ${workdir}/bindings.txt.history
+rm ${workdir}/bindings.txt
+
+cat "${workdir}/instances.txt" | xargs -I % cloud-service-broker client deprovision --config clientconfig.yml --planid 35ffb84b-a898-442e-b5f9-0a6a5229827d --serviceid 260f2ead-b9e9-48b5-9a01-6e3097208ad7 --instanceid %
+echo "\n$(date)" >> instances.txt.history
+cat ${workdir}/instances.txt >> ${workdir}/instances.txt.history
+rm ${workdir}/instances.txt
+
+echo "Done. instances.txt and bindings.txt cleared. History recorded in instances.txt.history and bindings.txt.history."
+
diff --git a/brokerpaks/cg-smtp/client/bin/up.sh b/brokerpaks/cg-smtp/client/bin/up.sh
new file mode 100755
index 0000000..a67ca22
--- /dev/null
+++ b/brokerpaks/cg-smtp/client/bin/up.sh
@@ -0,0 +1,44 @@
+#!/bin/bash
+set -eo pipefail
+
+if [ "$#" -lt 2 ]; then
+  printf "Usage:\n\n\t\$./up.sh recipient-email@gsa.gov /path/to/workdir\n\n"
+  exit 1
+fi
+
+recipient=$1
+workdir=$2
+
+csb=cloud-service-broker
+
+# Instance IDs must be unique, so generate a new one
+instanceid=$(uuidgen | tr "[A-Z]" "[a-z]")
+echo "Instance ID: $instanceid"
+
+# Start provisioning
+$csb client provision --config clientconfig.yml --planid 35ffb84b-a898-442e-b5f9-0a6a5229827d --serviceid 260f2ead-b9e9-48b5-9a01-6e3097208ad7 --instanceid $instanceid --params "{\"dmarc_report_uri_aggregate\": \"mailto:${recipient}\", \"dmarc_report_uri_failure\": \"${recipient}\"}"
+
+# Wait on provisioning to finish
+state=""
+while [[ "$state" != "succeeded" ]]; do
+	sleep 10
+	state=$($csb client --config clientconfig.yml last --instanceid $instanceid | jq -r '.response.state')
+	echo "State: $state"
+done
+
+touch "$workdir/instances.txt"
+echo $instanceid >> "$workdir/instances.txt"
+
+# Let the broker settle
+sleep 1
+
+# Binding IDs must be unique, so generate a new one
+bindingid=$(uuidgen | tr "[A-Z]" "[a-z]")
+echo "Binding ID: $bindingid"
+touch "$workdir/bindings.txt"
+echo "$instanceid $bindingid" >> "$workdir/bindings.txt"
+
+# Update smtp-client with new credentials
+$csb client bind --config clientconfig.yml --planid 35ffb84b-a898-442e-b5f9-0a6a5229827d --serviceid 260f2ead-b9e9-48b5-9a01-6e3097208ad7 --instanceid $instanceid --bindingid $bindingid | jq '.response.credentials' > "$workdir/credentials.json"
+
+echo "Done. Credentials saved to credentials.json for use with the client. GUIDs saved to instances.txt and bindings.txt. Deprovision later with down.sh."