All I can come up with is this blurb from the configure script.
Path to directory used for storing attachments while a mail is
being sent. There are a few security considerations regarding this
1. It should have the permission 733 (rwx-wx-wx) to make it
impossible for a random person with access to the webserver
to list files in this directory. Confidential data might
be laying around in there.
2. Since the webserver is not able to list the files in the
content is also impossible for the webserver to delete files
lying around there for too long.
3. It should probably be another directory than the data
directory specified in option 3.
But my data dir shows up as same owner as apache user and drwx --- --- for permissions.
And the upload_tmp_dir is commented out in my php.ini.