OK, I've configured everything and it's working fine - I now have Roundcube installed with custom Plesk plugins allowing Autoresponders and Passwords to be set.
I installed suhosin and configured it to block the following functions:
suhosin.executor.func.blacklist = dl,exec,leak,passthru,pfsockopen,popen,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,pos,shell_exec,url_include,curl_multi_exec,ftp_exec,pcntl_exec,phpinfo,posox_setuid,proc_close,proc_get_status,proc_nice,proc_terminate,show_source,system$
Based on the initial list given by faris at viewtopic.php?f=2&t=5250&p=31647&hilit=Suhosin#p31634
I turned of PHP checking in ASL to allow suhosin to deal with that for me.
The scripts required access to the plesk autoresponder command via the CLI - so I added apache to the sudoers file for that command only:
apache ALL = NOPASSWD: /usr/local/psa/bin/autoresponder
I enabled exec for in vhost.conf for the domain where the webmail is currently located and everything works great.
Can anyone spot any glaring security issues here? or functions that perhaps should be disabled server wide that I've missed?