haraka | Haraka is a secure and efficient short-input hash function | Cryptography library

How do I figure out the proper ports for the server accepting mails on behalf of a particular domain (one that is returned by MX lookup)?

What you've shown in your question is more or less correct. You may want to try the ports in a different order. Also, port 2525 is not an official port from any standard I'm aware of but seems to be a convention for bypassing firewalls that block the submission port 587.

One thing to note is that "accepting mail" is not actually one thing. There are "mail user agents" that do "submission" and "mail transfer agents" that do "transfer". "Submission" and "transfer" often live on different ports which explains some of the diversity you've seen. Figure out whether you're doing submission or transfer and select the appropriate group of ports.

My understanding here is that "default" ports are just conventions, and, in fact, servers can use any free port they choose.

This isn't really true, at least not if the servers want anyone to be able to find them, because ...

How do such "real-world" servers figure out the proper port (or they just brute-forcing through the default ones)?

Mail servers that actually want to be able to receive mail must run on a standard port number. For MTAs this means port 25 with maybe a fallback to 465 (though this isn't standardized either). For MUAs this means port 587 with maybe a fallback to 2525 (also not standardized but apparently in common use as a workaround to MUAs being blocked).

In particular, MX records carry no port information, nor does any other DNS record type related to SMTP.