Here's the script we use. We're in an Exchange 2010 environment, so the script looks up the current aliases for each primary address in the Postini file in our Active Directory. This way we drop mailboxes that are gone but still had Postini entries and we get any new aliases that hadn't made it into Postini. the resultant file can be imported into Ironport.
It's been a while so I don't remember if I had to tweak lline endings or anything, but this should get you ont eh right track.