Not that MITM'ing is okay (the library should simply block 25/TCP outbound instead), but he really should be using 587/TCP (cf. RFC6409).
$10 says the library has a Cisco ASA firewall (probably installed by some young tech at a local I.T. company) inspecting SMTP traffic (which it does by default). If he would have issued "HELO/EHLO" (instead of "STARTTLS") we would have been able to tell from the return response.
Anyways, if his mail client was configured to use 587/TCP and require STARTTLS, the worst that would happen is that his client would refuse to authenticate to the server (my SMTP servers, for example, do not advertise the "AUTH" verb on 587/TCP until the connection is encrypted) and his credentials wouldn't be compromised.
$10 says the library has a Cisco ASA firewall (probably installed by some young tech at a local I.T. company) inspecting SMTP traffic (which it does by default). If he would have issued "HELO/EHLO" (instead of "STARTTLS") we would have been able to tell from the return response.
Anyways, if his mail client was configured to use 587/TCP and require STARTTLS, the worst that would happen is that his client would refuse to authenticate to the server (my SMTP servers, for example, do not advertise the "AUTH" verb on 587/TCP until the connection is encrypted) and his credentials wouldn't be compromised.