as the function of csf.allow is to let traffic be sent to or come from a whitelisted IP, it should be able to bypass the UID/GID limit for port 25,
For example in a case we had to use a remote smtp of an off server bought mail account for the whmcs script, the off server mail account is used for redundancy, we were however unable to let anyone other than cpanel, mailman, root, mail, ... use the smtp port so as to connect to the specified mail server, even after whitelisting the ip of the remote box.
The reason is probably the LOCALOUTPUT chain is being appended after SMTP_BLOCK rules, so we had to insert a suitable rule with accept target rather than appending one.