If you want to deliver email to other domains then you need to connect to port 25 on the destination domain MX server. As far as I know, best practice for the other ports (465, 587) is to require authentication and to reject anonymous submissions.
Port 25 is only required if the destination doesn't support TLS, I think. I've not opened port 25 outgoing on my server and I've had zero issues delivering sent mail to other servers for maybe 5 years.
I think OP might have meant "receiving on port 25 is getting difficult" rather than sending. The spec requires servers to support unencrypted deliveries over port 25, even though almost all servers use TLS these days.
Even with TLS, that is usually handled by issuing STARTTLS on TCP port 25. I can't find anything in the RFCs mentioning server-to-server smtp delivery happening on anything but port 25? Do you have a reference for that? In fact, even the MX for google domains (aspmx.l.google.com) does not listen on TCP port 465 or 587, only 25.
I'm not certain, so you might be more informed than me. It's possible my server is sending on port 25 and since the firewall I use doesn't block outgoing connection I just didn't notice. TIL!
