Solved. Quite silly though. I have been trying to figure this out for days, and never realised that there is an Email Auto-Protect feature for the AV.
The way to solve this is, to go to Email Auto-Protect, disable it, or change the outgoing port to something else other than 25.
It allowed port 25 despite my rule... is because SEP is configured with Email Auto-Protect, with Port 25 as outgoing port. Change/Disable it...will give me the option to disable the outgoing smtp port.