Just to close this off, I've now got a slightly different take on this which is achieving the intended aims:
1. Perl script using Net::LDAP to bind to & query the LDAP directory (actually AD) and extract all user accounts with msExchBlockedSendersHash (and corresponding Safe version). Saves Base64 encoded version into colon-delimited file with sAMAccountName (username) as the key.
2. LDAP lookup in RCPT ACL to obtain sAMAccountName and lookup the Base64 encoded blocked/safe lists in the files from (1).
3. ${run construct to pass Base64 encoded envelope sender address and data from (2) to a script which checks for the existence of the address in the list.
