In a medium to large organization, you should have an internal mail server. In that case, the mail related protocols (SMTP, IMAP, POP and their SSL variants) should be blocked for all the internal machines except the mail server which should have unlimited input and output on the SMTP ports (normal and SSL).
In smaller organization that have no internal mail server, one external mail server should be chosen (normally the ISP one)and internal machines should be only allowed to connect to those servers through the mail related protocols. And in that case it would make sense to block port 25 and only allow 587 for client mail submission.
That way, even if a client was compromised it could not be used as an open mail relay.
Your mileage may vary: you could have first solution except for a dedicated department which could have special needs...