Not that MITM'ing is okay (the library should simply block 25/TCP outbound instead), but he really should be using 587/TCP (cf. RFC6409).

$10 says the library has a Cisco ASA firewall (probably installed by some young tech at a local I.T. company) inspecting SMTP traffic (which it does by default). If he would have issued "HELO/EHLO" (instead of "STARTTLS") we would have been able to tell from the return response.

Anyways, if his mail client was configured to use 587/TCP and require STARTTLS, the worst that would happen is that his client would refuse to authenticate to the server (my SMTP servers, for example, do not advertise the "AUTH" verb on 587/TCP until the connection is encrypted) and his credentials wouldn't be compromised.

Poor use of the term MITM. Is the device replacing certificates (public keys) used to authenticate the mail server to the client? MITM'd typically refers to an active TLS attack where server authentication public keys are substituted allowing a MITM to terminate and reestablish a TLS session to a client. This is just esmtp inspection.

MITM has nothing to do with TLS. It just means that the attacker is talking to both sides simultaniously, giving them the impression to be talking to each other directly. Thus the attacker is able to read manipulate the traffic. This can be used to hand out the attackers own certificates, but is in no way limited to it. I'd call this attack as the library is doing it MITM.