Hello Mcx,
you need to use an IP extended ACL.
Let's suppose that A.B.C.D is your public ip address associated with the router wan interface.
You need to configure static NAT in order to map services to the internal server
ip nat source inside static 10.10.10.20 tcp 25 A.B.C.D 25
ip nat source inside static 10.10.10.20 tcp 80 A.B.C.D 80
ip nat source inside static 10.10.10.20 tcp 443 A.B.C.D 443
int s0/0
ip nat outside
int e0/0
ip nat inside
access-list 121 permit tcp any A.B.C.D eq 25
access-list 121 permit tcp any A.B.C.D eq 80
access-list 121 permit tcp any A.B.C.D eq 443
access-list 121 permit tcp any A.B.C.D eq 23(*)
int ser0/0
access-group 121 in
(*) allowing telnet access from internet has to be carefully considered, I would suggest to use SSH and to restrict access with another ACL that is applied under line vty 0 4
access-list 25 permit host x.y.z.k
line vty 0 4
access-class 25 in
Hope to help
Giuseppe