OK then, let me give you the full spiel, then:
Port 25 outbound is an obvious candidate for filtering, because if you can hit the Internet on port 25, you can deliver e-mail to practically anyone. If that e-mail is unwanted, the only useful “identity” information that the recipient has to try and prevent further abuse is the sending IP address. That identity is tied, in general, to a hosting provider, not an individual subscriber, so any reputation hit for spamming goes, in the first instance, onto the hosting provider. For a cloud provider, whose only customer contact is a (potentially stolen) credit card, there are practically zero consequences that can be imposed on the actual responsible party (the customer). So, the hosting provider ends up wearing the blame. It’s no surprise, therefore, that cloud providers are somewhat reticent to let everyone have unfettered outbound port 25. It’s a shame, but it’s not a surprise.
The thing is, port 587 is a whole different kettle of fish. You cannot deliver e-mail to any address on the Internet by connecting to port 587. In order to get an e-mail sent through port 587, you need to, at the very least, authenticate yourself. That provides an identity, separate from the sending IP address, on which to apply consequences. If the e-mail ends up being spam, then it’s the e-mail provider (as the party which made the connection to port 25) which takes the reputation hit. They know this, and there’s all sorts of stuff they do to balance “getting paid to deliver e-mail” and “not getting blacklisted to hell and back” (with varying levels of success). My point here is that the reputation hit from delivering an e-mail that was submitted over port 587 lands on the intermediary, not the hosting provider.
Now, you might say, “aha! but the Received: headers will show it came from our IP space originally, and we’ll still get blamed”. There’s two responses to that. First off, nobody who’s been doing e-mail for more than five minutes believes any Received header they didn’t generate, because they’re trivial to spoof. Much fun was had in the good old days blaming spam on all sorts of innocent parties via that trick. Second of all, if you’re worried about multi-hop reputation problems, you need to block 2525 as well, because guess what? 2525 is a de facto standard submission port, as well, because some people can’t remember two different numbers, or something. They behave practically identically, and any problems you’d have if you allowed submission over the standard port of 587 also apply to submission over 2525.
So, yeah. Unblock outbound 587, please. The Internet thanks you.